Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 5 subscribers
  • Views 53259 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN with Meraki MX "disconnects"

JensStraten

Our IPSec VPN connection between a Sophos UTM (server) and Cisco Meraki MX (client) used to work just fine, but we didn't use it for a few weeks while testing a security appliance. Now, when have switched it back on, it keep "disconnecting" every 12 hours or so. Well, I am not sure if I should actually say "disconnecting" because both appliances claim that the connection is up. However, it is not possible to ping any devices.

Here is a copy of the UTM log:

2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: initiating Main Mode to replace #23
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: received Vendor ID payload [XAUTH]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: ignoring Vendor ID payload [Cisco-Unity]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: received Vendor ID payload [RFC 3947]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: received Vendor ID payload [Dead Peer Detection]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: enabling possible NAT-traversal with method 3
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: received Vendor ID payload [Dead Peer Detection]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: Peer ID is ID_IPV4_ADDR: '108.xxx.xxx.xxx'
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: Dead Peer Detection (RFC 3706) enabled
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: ISAKMP SA established
2017:12:17-22:51:17 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #31: responding to Quick Mode
2017:12:17-22:51:17 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #31: IPsec SA established {ESP=>0x054606b6 <0x1aeff575 DPD}
2017:12:17-22:51:33 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #32: responding to Quick Mode
2017:12:17-22:51:33 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #32: IPsec SA established {ESP=>0x0a623787 <0x6836e0ac DPD}
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: initiating Main Mode to replace #27
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: received Vendor ID payload [XAUTH]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: ignoring Vendor ID payload [Cisco-Unity]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: received Vendor ID payload [RFC 3947]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: received Vendor ID payload [Dead Peer Detection]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: enabling possible NAT-traversal with method 3
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: received Vendor ID payload [Dead Peer Detection]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: Peer ID is ID_IPV4_ADDR: '108.xxx.xxx.xxx'
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: Dead Peer Detection (RFC 3706) enabled
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: ISAKMP SA established
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: initiating Main Mode to replace #30
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: received Vendor ID payload [XAUTH]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: ignoring Vendor ID payload [Cisco-Unity]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: received Vendor ID payload [RFC 3947]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: received Vendor ID payload [Dead Peer Detection]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: enabling possible NAT-traversal with method 3
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: received Vendor ID payload [Dead Peer Detection]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: Peer ID is ID_IPV4_ADDR: '108.xxx.xxx.xxx'
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: Dead Peer Detection (RFC 3706) enabled
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: ISAKMP SA established
2017:12:18-05:15:17 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #35: responding to Quick Mode
2017:12:18-05:15:17 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #35: IPsec SA established {ESP=>0x008ba779 <0x8549f156 DPD}
2017:12:18-05:15:33 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #36: responding to Quick Mode
2017:12:18-05:15:33 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #36: IPsec SA established {ESP=>0x00aef0e8 <0xfc15c757 DPD}
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: initiating Main Mode to replace #33
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: received Vendor ID payload [XAUTH]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: ignoring Vendor ID payload [Cisco-Unity]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: received Vendor ID payload [RFC 3947]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: received Vendor ID payload [Dead Peer Detection]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: enabling possible NAT-traversal with method 3
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: received Vendor ID payload [Dead Peer Detection]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: Peer ID is ID_IPV4_ADDR: '108.xxx.xxx.xxx'
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: Dead Peer Detection (RFC 3706) enabled
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: ISAKMP SA established

I have reset the connection at 8:12:32 in the morning.

 

And, here is a copy of the Cisco Meraki log (newest first):

12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=3954588980(0xebb63d34)"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=158523040(0x972dea0)"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=2089720425(0x7c8e9a69)"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=230688225(0xdc005e1)"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:b9b1494c9a66dc21:b9e76dfea26a140f"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]&lt;=&gt;192.198.xxx.xxx[500]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: phase1 negotiation failed due to time up. 3336d6acd6937d2d:ad0171cbc22a8d42"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.198.xxx.xxx[0]-&gt;108.xxx.xxx.xxx[0]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.198.xxx.xxx[0]-&gt;108.xxx.xxx.xxx[0]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:45        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:45        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:45        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:45        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]&lt;=&gt;192.198.xxx.xxx[500]"
12/18/2017 8:12        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:cd6c36d9a4ec966d:ff844b42146d879d"
12/18/2017 8:12        Non-Meraki / Client VPN negotiation    "msg: renegotiating phase1 to 192.198.xxx.xxx due to active phase2"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-MESSAGE-ID received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-ID-INFORMATION received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-MESSAGE-ID received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-ID-INFORMATION received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-ID-INFORMATION received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-MESSAGE-ID received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-ID-INFORMATION received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=1886330414(0x706f1e2e)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=196593425(0xbb7c711)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:11289a46c91f56ad:68c1afbe3f149b5d"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]&lt;=&gt;192.198.xxx.xxx[500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: unknown Informational exchange received."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=1591540275(0x5edcfa33)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=64989369(0x3dfa8b9)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:2f8a3f6d7df722ba:9e6d4db19d5d7a93"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=1953692317(0x7472fa9d)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=244177405(0xe8dd9fd)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=2887914446(0xac2213ce)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=165247522(0x9d97a22)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:ba6541d4081a4f69:88e40ba2a7b47420"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]&lt;=&gt;192.198.xxx.xxx[500]"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=4229285719(0xfc15c757)"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=11464936(0xaef0e8)"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=2236215638(0x8549f156)"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=9152377(0x8ba779)"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 1:58        Non-Meraki / Client VPN negotiation    "msg: unknown Informational exchange received."
12/18/2017 1:48        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:ba0ebeb3c0c3ae8a:ac8ee5db5decf03d"
12/18/2017 0:22        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:9b462bd8c9c55256:91e498e64f896fcf"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=1748426924(0x6836e0ac)"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=174208903(0xa623787)"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=451933557(0x1aeff575)"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=88475318(0x54606b6)"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 17:58        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:38f2d760483fb829:098f10d365f71d2e"
12/17/2017 17:58        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:38f2d760483fb829:098f10d365f71d2e"

 

Based on a log entry in our PBX system, the local phones got "disconnected" starting 10:52 pm on 12/17, but I don't see any unusual messages in the log except the ones with IPs that don't belong to me.

Any help is appreciated!



This thread was automatically locked due to age.
  • 0

    Hi Jens,

    Does doing #1 in Rulz give any insights?

    If you want to pursue this here, please insert pictures of the Edits of the IPsec Connection, Remote Gateway and IPsec Policy. Likewise for the same information from the Meraki.  Also, some log lines from the IPsec log around 10:52 (adjusted for any time difference between the PBX and UTM).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Yes, I have checked the Intrusion log and there is nothing in it.

    Today, the problem actually got worse. I encountered a power outage in my home office (Cisco Meraki) and I haven't been able to reestablish an IPSec VPN to the Sophos at all now.

    Here are the requested configuration pictures:

     

    Log on Sophos UTM:

    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: received Vendor ID payload [RFC 3947]
    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: received Vendor ID payload [Dead Peer Detection]
    2017:12:19-20:18:21 vpn pluto[5482]: "S_vpn.office"[1] 108.xxx.xxx.xxx #310: responding to Main Mode from unknown peer 108.xxx.xxx.xxx
    2017:12:19-20:18:24 vpn pluto[5482]: "S_vpn.office"[1] 108.xxx.xxx.xxx #310: ERROR: asynchronous network error report on eth1 for message to 108.xxx.xxx.xxx port 500, complainant 108.221.23.56: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
    2017:12:19-20:18:24 vpn pluto[5482]: "S_vpn.office"[1] 108.xxx.xxx.xxx #309: ERROR: asynchronous network error report on eth1 for message to 108.xxx.xxx.xxx port 500, complainant 108.221.23.56: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
    2017:12:19-20:18:26 vpn pluto[5482]: "S_vpn.office"[1] 108.xxx.xxx.xxx #305: max number of retransmissions (2) reached STATE_MAIN_R1
     

    And the log from the Meraki:

    Dec 19 20:18:43        Non-Meraki / Client VPN negotiation    msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.xxx.xxx.xxx[0]->108.xxx.xxx.xxx[0]
    Dec 19 20:18:12        Non-Meraki / Client VPN negotiation    msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]<=>192.xxx.xxx.xxx[500]
    Dec 19 20:18:10        Non-Meraki / Client VPN negotiation    msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.xxx.xxx.xxx[0]->108.xxx.xxx.xxx[0]
    Dec 19 20:18:05        Non-Meraki / Client VPN negotiation    msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.xxx.xxx.xxx[0]->108.xxx.xxx.xxx[0]

     

    I have compared the configuration between both devices over and over. Also deleted all VPN related configuration on both appliances and re-created them from scratch. Assigned new pre-shared keys.

    Also talked to Meraki support. They were helpful, but couldn't find anything wrong with configuration. Called the ISP. No, nothing is blocked, modem didn't get updated and the configuration didn't change.

    I have been using Sophos and VPN connections to various third party systems for years now, but I am stunned by this behavior.

    Any ideas?

  • 0 in reply to JensStraten

    Thanks for the pics, Jens - that looks good.  Do you need Strict Routing?

    Are there any hints in the firewall log at 10:52 on the 17th?

    The logs you showed for the UTM and the Meraki don't cover the same time frame.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    No, I don't need strict routing and can turn it off.

    I tried to find the closest entries possible from a time point of view. I can get some new ones if that helps, but it is always the same pattern.

    Here is a copy of the firewall log for the time indicated in your post:

    2017:12:17-10:52:01 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="85.93.20.22" dstip="192.xxx.xxx.xx2" proto="6" length="52" tos="0x0a" prec="0x20" ttl="105" srcport="9" dstport="4444" tcpflags="SYN" 
2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx8" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx9" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx0" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx1" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx2" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
2017:12:17-10:52:07 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="85.93.20.22" dstip="192.xxx.xxx.xx2" proto="6" length="48" tos="0x08" prec="0x20" ttl="105" srcport="9" dstport="4444" tcpflags="SYN" 
2017:12:17-10:52:18 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx8" proto="6" length="52" tos="0x08" prec="0x20" ttl="46" srcport="7401" dstport="445" tcpflags="SYN" 
2017:12:17-10:52:19 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx9" proto="6" length="52" tos="0x08" prec="0x20" ttl="47" srcport="44478" dstport="445" tcpflags="SYN" 
2017:12:17-10:52:20 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx0" proto="6" length="52" tos="0x08" prec="0x20" ttl="46" srcport="23618" dstport="445" tcpflags="SYN" 
2017:12:17-10:52:21 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx1" proto="6" length="52" tos="0x08" prec="0x20" ttl="46" srcport="16723" dstport="445" tcpflags="SYN" 
2017:12:17-10:52:22 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx2" proto="6" length="52" tos="0x08" prec="0x20" ttl="46" srcport="23630" dstport="445" tcpflags="SYN" 
2017:12:17-10:52:26 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="139.60.160.251" dstip="192.xxx.xxx.xx2" proto="6" length="40" tos="0x08" prec="0x40" ttl="235" srcport="43364" dstport="50590" tcpflags="SYN" 
2017:12:17-10:52:53 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60004" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="61.138.232.34" dstip="192.xxx.xxx.xx8" proto="6" length="44" tos="0x08" prec="0x20" ttl="47" srcport="49054" dstport="22" tcpflags="SYN"

    Sadly, I don't see anything unusual in the firewall.

    Can a Windows machine connect to the IPSec VPN? This would indicate that the problem is with the Cisco Meraki.

  • 0 in reply to JensStraten

    Is either the Meraki or the UTM behind a NATting router?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    The UTM sits in a data center and has no router. Basically, the UTM is directly using a block of IPs.

    That said, the Cisco Meraki sits in a home office using ATT Business Internet. ATT says the modem is in "bridge mode", but that doesn't seem to be an equivalent of the bridge mode I have used with Comcast before. Essentially, the Meraki is acting as a DHCP client getting the external IP from the ATT modem.

  • 0 in reply to JensStraten

    I have an update on this. After doing a lot of testing involving a second Sophos appliance, it was determined that there is some kind of problem with the Cisco Meraki. I will run a few more tests with Cisco next week, but this seems to turn into some kind of hardware issue and I am expecting to get an RMA # next week.

    I will post another update if there are additional news or findings.

    Thank you for your help, Bob!

  • 0 in reply to JensStraten

    Hi Jens,

    Is there issue cleared? I had a similar problem. 

    Best regard,

    Tomoaki

  • +1 in reply to TomoakiSakakiyama

    Hi Tomoaki and welcome to the UTM Community!

    Another issue could be that the Meraki is not configured for Anti-Replay.  That is on by default in the UTM and cannot be disabled.  A mismatch can cause the tunnel to appear to be established, but fail to pass traffic.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thank you for your support. Yes, my problem is fail to pass the traffic when the SA appeared to be established. And it cause in 3 to 4 hour cycle.
    I configured phase 2 lifetime to change 3600s from 28800s(meraki default), and traffic can pass now without causing problems.
    But if Anti-Replay cause issue, my workaround can not fix.

     

    Best regards,

    Tomoaki

Unfiltered HTML