We'd love to hear about it! Click here to go to the product suggestion community
now that MR-1 has appeared, I wanted to ask when MR-2 will appear? The problems and instabilities of IPSec in v17 (especially in connection with V16.5) are very annoying.
In reply to RyanDonohue:
I have followed-up with your Support Ticket and the case owner will reach out to you today. If you haven't done so yet, please send over your logs from the ASA, if possible.
The only issue I have had with V17 MR1,2 and 3, is recreating the VPN profiles/encryption each time, but then stable.
This has been XG to XG for our Norwich to London site to site, but I also have a 105w running at home that has VPN to both sites. All 3 have been solid.
Wont make a load of you happy on here, but I am having nothing but good support from the support guys. Having met some of the guys that have the XG in their blood, I know this will be frustrating for them, and they are doing what they can.
I do have a virtualised environment too for testing with as much detail as I can including VPNs etc. I dont know anything about cisco gear but are there any options for those with Cisco kit to simulate the routers/firewalls so you are not exposing real world kit/connections??
In reply to Karlos:
I do not have access to the logs on the ASA. The ASA is managed by another company, and their security is dictated by Homeland Security. They will give me a verbal description of what they are seeing on their side in the logs, but getting something like actual logs is like pulling teeth. The one thing that I know is that this vpn tunnel worked when I was running an ASA on my side, it worked from another SG310 running UTM 9, it worked from another SG310 running XG 16. The only thing that it has issues with is XG 17.
I will add that the company that manages the ASA has been working with Cisco support since this began and Cisco has checked everything with their configuration, and Cisco support did review their logs and has said that they were unable to find any issues on their end.
To all others that have issues with this, by chance are you using any special characters in your PSK? I had them in my PSK all along before I gave up and downgraded to 16.5.. (still using special characters with no issues in 16.5...).. I just came across this thread community.sophos.com/.../361180 in which Support said that they cause issues and were supposed to be fixed in MR-2. (Ticket NC-23039) was supposed to be fixed in MR-2 but I don't see any mention of it in the release notes of MR-2 or MR-3 even.
In reply to apalm123:
i have no special character on my psk's... result IS the same.
Your key is NOT too long, right ? Because MR2 cannot handle keys as long as what MR1 was able.
I do not remember how many however. 60 maybe
In reply to Big_Buck:
Nope, not even close to 60
apalm123Support said that they cause issues and were supposed to be fixed in MR-2. (Ticket NC-23039)
The fix is in MR-2, don't know the reason why its not in the release notes. Will forward that info to the release manager.
I recall having to shorten our PSK as well from what was configured in 16.5. May have also had to remove some characters per the other issue someone had posted but I don't recall exactly.
Support has sent me a couple of new things to try. I'm waiting to get some time scheduled with the network engineer on the other end to try them out, but thought someone else might be able to test them before I get to. Here's what they said.
The lifetimes need to be set to Phase1: 10800 and Phase2: 3600
If you are using SHA2 you have to select the option for 96-bit truncation
In my case I'm not using SHA2, so that's not my issue, but it might help someone else. I'm curious to see if the lifetime settings have any effect.
In the meantime I have brought a decommissioned ASA back online in our network and have removed the affected tunnel from our XG and am now running it off of that. I'll continue testing because I'd like to just have the XG if possible. This issue has been so aggravating....
None of the config above would work with azure. Maybe aws.
Just a quick update. I've been working with the GES team, but so far no changes. I was able to upgrade to MR3 and they got the tunnel to establish. It ran for almost a week and then started disconnecting every few hours. High availability completely breaks the tunnel.
The thing that still seems to work, even though it shouldn't, is that if I switch the ipsec profile from Main Mode to Aggressive Mode the tunnel becomes more stable and will only disconnect about once a day rather than every few hours. This is strange because the ASA on the other end is set to Main Mode, and the vpn profile is not even supposed to be compatible with Aggressive Mode. It actually makes the selection list on tunnel profile blank. So this appears to be a definite bug. We're discussing switching back to Cisco. This issue has become a deal breaker for us.
Anyone else had any luck?
We're in the same boat. Not an ASA but connecting to a Cisco Router at HQ. Disconnects multiple times a day. In our case the tunnel loses some of it's SA's that get established. Out of 9 SA's that are part of the tunnel only one or two show green in the vpn connection and the site goes down. A reconnect will re-establish it, but what a pain in the butt.
If anyone as a rock solid VPN connection to a cisco device I would love to know what configuration you're using.