Release of v17 MR-2?

Hej,

now that MR-1 has appeared, I wanted to ask when MR-2 will appear? The problems and instabilities of IPSec in v17 (especially in connection with V16.5) are very annoying.

  • In reply to RyanDonohue:

    Hi Ryan,

    I have followed-up with your Support Ticket and the case owner will reach out to you today. If you haven't done so yet, please send over your logs from the ASA, if possible.

    Thanks,
    Karlos

  • The only issue I have had with V17 MR1,2 and 3, is recreating the VPN profiles/encryption each time, but then stable.

    This has been XG to XG for our Norwich to London site to site, but I also have a 105w running at home that has VPN to both sites. All 3 have been solid.

    Wont make a load of you happy on here, but I am having nothing but good support from the support guys. Having met some of the guys that have the XG in their blood, I know this will be frustrating for them, and they are doing what they can.

    I do have a virtualised environment too for testing with as much detail as I can including VPNs etc. I dont know anything about cisco gear but are there any options for those with Cisco kit to simulate the routers/firewalls so you are not exposing real world kit/connections??

  • In reply to Karlos:

    Karlos,

     

    I do not have access to the logs on the ASA. The ASA is managed by another company, and their security is dictated by Homeland Security. They will give me a verbal description of what they are seeing on their side in the logs, but getting something like actual logs is like pulling teeth. The one thing that I know is that this vpn tunnel worked when I was running an ASA on my side, it worked from another SG310 running UTM 9, it worked from another SG310 running XG 16. The only thing that it has issues with is XG 17.

  • In reply to RyanDonohue:

    I will add that the company that manages the ASA has been working with Cisco support since this began and Cisco has checked everything with their configuration, and Cisco support did review their logs and has said that they were unable to find any issues on their end.

  • To all others that have issues with this, by chance are you using any special characters in your PSK? I had them in my PSK all along before I gave up and downgraded to 16.5.. (still using special characters with no issues in 16.5...).. I just came across this thread community.sophos.com/.../361180 in which Support said that they cause issues and were supposed to be fixed in MR-2. (Ticket NC-23039) was supposed to be fixed in MR-2 but I don't see any mention of it in the release notes of MR-2 or MR-3 even.

  • In reply to apalm123:

    i have no special character on my psk's... result IS the same.

  • In reply to apalm123:

    Your key is NOT too long, right ?  Because MR2 cannot handle keys as long as what MR1 was able.

    I do not remember how many however.  60 maybe

    Paul Jr

  • In reply to Big_Buck:

    Nope, not even close to 60

  • In reply to apalm123:

    apalm123
    Support said that they cause issues and were supposed to be fixed in MR-2. (Ticket NC-23039)

    The fix is in MR-2, don't know the reason why its not in the release notes. Will forward that info to the release manager.

  • In reply to Big_Buck:

    I recall having to shorten our PSK as well from what was configured in 16.5. May have also had to remove some characters per the other issue someone had posted but I don't recall exactly.

  • Support has sent me a couple of new things to try. I'm waiting to get some time scheduled with the network engineer on the other end to try them out, but thought someone else might be able to test them before I get to. Here's what they said.

     

    The lifetimes need to be set to Phase1: 10800 and Phase2: 3600

    If you are using SHA2 you have to select the option for 96-bit truncation

     

    In my case I'm not using SHA2, so that's not my issue, but it might help someone else. I'm curious to see if the lifetime settings have any effect.

    In the meantime I have brought a decommissioned ASA back online in our network and have removed the affected tunnel from our XG and am now running it off of that. I'll continue testing because I'd like to just have the XG if possible. This issue has been so aggravating....

  • In reply to RyanDonohue:

    Support set me up with phase 1 28800 (not 10800 like they told you) and phase 2 3600 even though that's not what the ASA was at for either ph1 or ph2. Ikev1. They remoted in and made a new one for me using the prebuilt remote office template. With this, the best I ever got was for it to stay up for 1 week, and that was a huge improvement, but as soon as my constant ping PC pinging the other side day and night had to reboot, tunnel between xg105 and ASA never stayed up again after that. The key life settings did not at all match the ASA. but matching them didn't help at all so, I welcomed the change.
  • In reply to RyanDonohue:

    None of the config above would work with azure. Maybe aws.