Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I have 1 HQ firewall (XG135) and 4 branches (XG105). They all have IPSEC tunnels with the default IKEv2 setup. They are all on 188.8.131.522
Spaced about 1 hour 13 minutes apart, I get 5 established and 5 terminated IPSEC vpn tunnel log entries from a branch firewall all with the exact same timestamp. Then a few minutes later, approximately the same hour/minutes apart, I get another 5 established and 5 terminated IPSEC vpn tunnel log entries. A few of the firewalls have TWO IPSEC tunnels, and I'll get an alert on one of the tunnels, and at some point over the next hour, I'll get another alert for the other tunnel, but both don't terminate at once.
No internet outages, and no perceived downtime with the tunnels. I have 100 users all using VoIP and no-one has said a word. This has been happening since deployment 2 days ago.
I'm getting bombarded with alerts for tunnel disconnection/re-connection.
What configuration item should I be looking at? Or is this a bug?
In reply to FloSupport:
How was this released? I am also seeing something like this.
what is Sophos description on NR-1989 is there a link to all the current bugs we can see.
In reply to bz351:
The bugfix was released to the cloud version of Sophos Central Admin Firewall Management. I no longer receive hundreds of alerts a day saying my IPSEC tunnel disconnected (when it was just rekeying, not actually disconnecting).
Now, I do receive several alerts a day saying a firewall disconnected from Sophos Central Admin (without internet loss), but I'll open another forum post/support case for that when I get some time.
In reply to LeetJN:
Are alerts of IPSec terminated/established still present in Sophos firewall log? Was only receiving suppressed in Sophos Central?
In reply to Jaroslav Faldik:
Yes, no change to the local firewall logs (although I agree they should have fixed it/differentiated it here too).
The firewall disconnected message is related to the following issue: