IPSEC site-to-site VPN is up, but no traffic passing

Hi Patrick,

Reconfigure the IPSec policy on both the end. Post the screenshot of the configuration and let us know if the traffic is forwarded through either end via IPSec. To monitor the packet communication for IPSec tunnel refer https://community.sophos.com/kb/en-US/115702 .

Thanks

Hi Sachin, 

Apologies for the late reply. I did not receive an email notification that a response had been posted so i didn't read your reply until today. 

An update of where this problem is at: 

I have a case open with your tech support team and it is ongoing now for some time.

I updated to latest firmware on both UTMs (9.405-5) and reconfigured the gateways and connections on both ends. We know my config works because it does connect and traffic does flow sometimes. And it actually can work consistently at times. It can work all day, wit h me disconnecting and re-connecting several times without issue. 

However it will still randomly show the original problem (tunnel comes up, but no traffic allowed through). I have tried to get your tech team to log in remotely and see it in action, but unfortunately they haven't had the chance as yet. 

So at this point: 

- we know config is correct as it does work sometimes
- problem still randomly happens (tunnel will come up but no traffic whatsoever will go through either end)
- When it does happen, there doesn't seem to be a way to get it to behave again (have tried reboots, disconnects, reconnects, etc). I just leave it for a few hours or until next day and the find it suddenly works again. 
- problem does not happen with SSL tunnels (they come up and allow traffic every single time I have tested)

If you have any other suggestions, please let me know. This problem is a weird one, and i suspect it will take a while to figure out, so any help will be much appreciated. 

regards, 

Patrick

Hi Patrick, 

We regret the poor experience you had with Support. Can you please provide me the case# so I can take a look at the history and try to find the required solution?

Meanwhile, go to IPSec> Debug, and select the IKE Debugging flags. Verify the logs if any suspicious information is captured for disconnection over IPSec, you can also send me an instance of the debug logs when you face the disconnection.  I would like to look into the logs from both ends HO and BO. 

Thanks

Hi Sachin, 

The case no is #6417303. Yesterday I did manage to get a call from another tech (funnily enough not long after i posted here). He did make quite a few log captures of things he thought would be useful and has gone away to look them over. The first level tech that responded also took a number of log captures as well. So i would say you should be able to see quite a lot of captures in the case history. 

regards, 

Patrick

Hi Patrick,

The case is with the escalation team and the engineer can call you in 8am – 6pm AEST Mon-Fri. Please drop a mail about your availability so that he can reach you. I am following up with the case#.

Thanks

Hi Sachin, 

Yes, thanks. I am aware that it has been escalated and have given them my availability. 

Just to update you with the latest development (and i will try to continue updating here in case other people have similar issues): 

I've had to roll ahead with my project and put the remote utm into production. The site-to-site is connected with an SSL vpn which seems to be doing ok. We would much rather have it on IPSEC so i will continue with trying to get this issue resolved. With both units now in production sites, it will make it a lot harder to troubleshoot and give your engineers access but we could not wait as there is no predictable time frame for a solution. 

We do have a standby utm which i can use to recreate the issue with another branch site. I will most likely set that up and use that when Sophos engineers get in touch. I will give them all this same details so they know what has changed since the start of this case. 

Patrick, you commented that IPS was off.  Did you actually look at the logs recommended in my post that Sachin linked to?

The only thing that Premium UTM Support buys you is the ability to open a Support Ticket yourself and to be able to call Support to open a ticket.  "Premium Sophos Support" that offers the kind of response that you wanted is over US$10K per year.  Sophos doesn't make this clear and most uninformed Sophos resellers aren't aware of the expensive service.

None of my clients uses the ability to open their own support tickets - they all call/email me.  For no extra charge, I look at their box and then open a ticket with Sophos Support.  If I can immediately resolve the issue in the time it normally takes to open a ticket, I do so for no extra charge.  I estimate that this "costs" me less than 15 minutes per year per client.

Cheers - Bob

Hi Bob, 

Yes. I actually did. I have spent many hours on this, as have 2 separate techs from Sophos. Where it stands now is that i think they suspect it is a 'bug' of some sort as they have mentioned that they have had similar reports and there is also apparently a 'defect report' against the latest firmware with very similar descriptions. 

I sense that you felt the need to come to Sopho's defence - let me assure you that i am not here to bad-mouth anybody. I have something broken and am just trying to find a resolution. I do believe using the word "premium" was a poor choice of word for what i would consider "standard" support, but that is just one person's opinion. At times, frustration gets the better of me, but i believe i have done well to bite my tongue. At the end of the day, Sophos' devices are still amazing products. To have one device that can do so many roles and functions is impressive. For any IT tool though, reliability and support are just as important as any technology feature (again this is just one person's opinion). Perhaps this will come in time as the product gets refined. For me personally, this experience means it falls short. Otherwise i suspect i would be singing their praises much like yourself. 

I think we agree more than you thought, Patrick.  I think basic "Premium" support is worthless if you have a competent reseller, and agree that the marketing team has let Sophos down by failing to clarify what people are buying.

Cheers - Bob

Was there ever resolution to this issue... I have seen it occur twice in my space, now being the second occurrence... No configuration changes, no upgrades, the site to site ipsec tunnel just stops passing traffic. I am green connected on both sides. I can ping from one site and I see it go out and touch the other site (in live log) but never get to the destination. And if I reverse that and ping from the destination back, I see it ONLY in the remote sites live log...

Was there a bug and if so what it ever fixed...

TIA

I just remembered how I fixed this the first time and was able to fix it again... EXTREMELY odd issue... My pppoe device is setup as a bridge, and even the IPSEC connection is established with no issues from site to site, there is still something in the bridge that is preventing the communication, an mtu issue maybe... I reset the bridge at the remote location and everything is working again, but again its bridged, so might as well be a switch...

So you would think, when the tunnel is established, all the communications would ride over the tunnel, but there is something in the bridge, that even though the traffic is encapsulated, is impacted by that bridge...

Couldnt find it earlier, but here is my first post of the issue: https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/101844/site-to-site-ipsec-suddenly-stopped-passing-traffic

Hi Brian, 

Unfortunately, no 'resolution' to the IPSEC issue as i did not have unlimited time to work on it and needed a working solution. I ended up switching to an SSL site-to-site tunnel and that has been working solidly since. I would have preferred the IPSEC tunnel, but at the end of the day for what our business needs, the SSL is serving fine. 

It was a while ago and i can't remember exactly everything that was tried, but i did put a lot of work into it. We don't use a PPOE connection for our WAN, but we do have our provider's metro-ethernet equipment attached to our WAN interface - we don't have config access to that, but i'm pretty sure i did check with them at the time and they assured me it was simply doing the routing. Also tried rebooting all equipment both ends. Also tried playing around with MTU settings to rule that out as being the issue. 

I have been wanting to completely wipe the UTMs and clean-build it with the latest stable firmware, load our firewall config and then try an IPSEC tunnel again but unfortunately, time does not permit. I wanted to try this approach as we had suspicions that this for whatever reason might be connected to firmware upgrades being applied over an existing config. Maybe one day. 

Hi Brian, 

Unfortunately, no 'resolution' to the IPSEC issue as i did not have unlimited time to work on it and needed a working solution. I ended up switching to an SSL site-to-site tunnel and that has been working solidly since. I would have preferred the IPSEC tunnel, but at the end of the day for what our business needs, the SSL is serving fine. 

It was a while ago and i can't remember exactly everything that was tried, but i did put a lot of work into it. We don't use a PPOE connection for our WAN, but we do have our provider's metro-ethernet equipment attached to our WAN interface - we don't have config access to that, but i'm pretty sure i did check with them at the time and they assured me it was simply doing the routing. Also tried rebooting all equipment both ends. Also tried playing around with MTU settings to rule that out as being the issue. 

I have been wanting to completely wipe the UTMs and clean-build it with the latest stable firmware, load our firewall config and then try an IPSEC tunnel again but unfortunately, time does not permit. I wanted to try this approach as we had suspicions that this for whatever reason might be connected to firmware upgrades being applied over an existing config. Maybe one day.