We'd love to hear about it! Click here to go to the product suggestion community
I Upgraded to MR5 yesterday, all went great, suddenly this evening, tunnels start dropping up and down, and I am being "spammed" with notifications from my SFM that tunnels are terminated.
charon.log shows a lot of theese:
invalid ID_V1 payload length, decryption failed? I have Read here:Sophos XG Firewall: Cannot handle more than 2 concurrent Quick Mode exchanges per IKE_SA when using IKEv1That there are issues in MR5, that will be resolved in MR6, but theese errors should read:"invalid HASH_V1 payload length, decryption failed?"as stated in the KB above.I have 4 tunnels on my XG.Are others seeing this?A little more log:
2018-01-29 19:54:58 10[ENC] <622> invalid ID_V1 payload length, decryption fail ed? 2018-01-29 19:54:58 10[ENC] <622> could not decrypt payloads 2018-01-29 19:54:58 10[IKE] <622> message parsing failed 2018-01-29 19:54:58 10[ENC] <622> generating INFORMATIONAL_V1 request 158523599 [ HASH N(PLD_MAL) ] 2018-01-29 19:54:58 10[NET] <622> sending packet: from x.x.x.x to 5.1 03.12.171 (76 bytes) 2018-01-29 19:54:58 10[IKE] <622> ID_PROT request with message ID 0 processing failed 2018-01-29 19:54:58 10[DMN] <622> [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from x.x.x.x failed 2018-01-29 19:54:58 19[JOB] <622> deleting half open IKE_SA with x.x.x.x a fter timeout 2018-01-29 19:54:58 19[DMN] <622> [GARNER-LOGGING] (child_alert) ALERT: IKE_SA timed out before it could be established
All tunnels are unstable during this, yesterday with MR3, it worked great for weeks!
I have sent you a PM so that we can investigate further.
FloSupport | Community Support Engineer
(sorry I did not see your link with the way it was formatted before, I deleted my original reply to your post).
Yes, I am getting these as well, but we've had issues since 17.0 I'm hoping this fix will solve our tunnel issues we've had the past several months. I've escalated this to support and the level 3 techs will be checking it out and hopefully implementing the work around.
What type of device do you have on the other end of the tunnel?
In reply to Scott_D_L:
I also have the support guys on it.
All the endpoints are Sophos UTM's in different hardware configs.
In reply to twister5800:
Why not use RED as they are all Sophos? We ditched IPSEC a few months ago and it has been excellent ever since.
In reply to CMR:
I understand your point, but the RED is just an extended patch cable, and is not a router, the endpoints are different companies, each requirering it's own router.
Furthermore, IPSEC is still used for 90% of VPN's everywhere, when ran by UTM, there where no problems, all started with XG, and now with MR5, it's got even worse.
You can put the RED interfaces in the VPN zone and then route / firewall them off securely. I'm not defending the poor IPSEC implementation, just offering a possible solution!
Thanks for that, I'm already aware of that solution, as we use them somewhere else already.
But cannot tell 4 customers to go and buy a device and me for some hours, just because of a firmware update :-)
Just in case you did want to try it, RED does work UTM to XG as well
I'm fully aware of that, but thanks anyway ;)
Just a FYI. Sophos GES team was able to get into my sophos XG unit and apply the VPN fix to my unit last week Friday. So far so good. All SA's remain up and active.
good to hear this.
I'm having the same issue with MR5 with 2 Cisco IPsec Tunnels using Apple macOS and iOS in parallel.
Is there a possibility to apply the fix as a home user as well?
Thanks and best regards
Has anyone else applied the fix from support? Just curious how your experience has been?
All of you folks are aware that VPN is a 3 decades old technology that Sophos just cannot figure out ? It is not like if it was new tech.
They just do not have the engineering staff required to achieve this.
In reply to Big_Buck:
Having exactly the same issue do we know what the fix is thats being applied?
Agreed. I'm getting really tired of dealing with Sophos. We were early adopters of the XG and it's probably been one of my worst decisions. The platform is so far away from being enterprise-ready it's not even funny.