v17 MR5: VPN still unstable!

Hi,

 

I Upgraded to MR5 yesterday, all went great, suddenly this evening, tunnels start dropping up and down, and I am being "spammed" with notifications from my SFM that tunnels are terminated.

charon.log shows a lot of theese:

invalid ID_V1 payload length, decryption failed?                                

I have Read here:
Sophos XG Firewall: Cannot handle more than 2 concurrent Quick Mode exchanges per IKE_SA when using IKEv1

That there are issues in MR5, that will be resolved in MR6, but theese errors should read:
"invalid HASH_V1 payload length, decryption failed?"
as stated in the KB above.

I have 4 tunnels on my XG.

Are others seeing this?

A little more log:
2018-01-29 19:54:58 10[ENC] <622> invalid ID_V1 payload length, decryption fail 
ed?                                                                             
2018-01-29 19:54:58 10[ENC] <622> could not decrypt payloads                    
2018-01-29 19:54:58 10[IKE] <622> message parsing failed                        
2018-01-29 19:54:58 10[ENC] <622> generating INFORMATIONAL_V1 request 158523599 
 [ HASH N(PLD_MAL) ]                                                            
2018-01-29 19:54:58 10[NET] <622> sending packet: from x.x.x.x[500] to 5.1 
03.12.171[500] (76 bytes)                                                       
2018-01-29 19:54:58 10[IKE] <622> ID_PROT request with message ID 0 processing  
failed                                                                          
2018-01-29 19:54:58 10[DMN] <622> [GARNER-LOGGING] (child_alert) ALERT: parsing 
 IKE message from x.x.x.x[500] failed                                      
2018-01-29 19:54:58 19[JOB] <622> deleting half open IKE_SA with x.x.x.x a 
fter timeout                                                                    
2018-01-29 19:54:58 19[DMN] <622> [GARNER-LOGGING] (child_alert) ALERT: IKE_SA  
timed out before it could be established                                        
All tunnels are unstable during this, yesterday with MR3, it worked great for weeks!

  • Hi  

    I have sent you a PM so that we can investigate further.

    Regards,

    FloSupport | Community Support Engineer

  • (sorry I did not see your link with the way it was formatted before, I deleted my original reply to your post).

     

    Yes, I am getting these as well,  but we've had issues since   17.0   I'm hoping this fix will solve our tunnel issues we've had the past several months.   I've escalated this to support and the level 3 techs will be checking it out and hopefully implementing the work around.  

     

    What type of device do you have on the other end of the tunnel?

     

    -Scott

  • In reply to Scott_D_L:

    I also have the support guys on it.

     

    All the endpoints are Sophos UTM's in different hardware configs.

  • In reply to twister5800:

    Why not use RED as they are all Sophos?   We ditched IPSEC a few months ago and it has been excellent ever since.

  • In reply to CMR:

    I understand your point, but the RED is just an extended patch cable, and is not a router, the endpoints are different companies, each requirering it's own router.

     

    Furthermore, IPSEC is still used for 90% of VPN's everywhere, when ran by UTM, there where no problems, all started with XG, and now with MR5, it's got even worse.

  • In reply to twister5800:

    Hi Martin,

    You can put the RED interfaces in the VPN zone and then route / firewall them off securely.   I'm not defending the poor IPSEC implementation, just offering a possible solution!

    Cheers,

    Charles

  • In reply to CMR:

    Hi Charles,

    Thanks for that, I'm already aware of that solution, as we use them somewhere else already.

    But cannot tell 4 customers to go and buy a device and me for some hours, just because of a firmware update :-)

  • In reply to twister5800:

    Just in case you did want to try it, RED does work UTM to XG as well

  • In reply to CMR:

    I'm fully aware of that, but thanks anyway ;)

  • In reply to Scott_D_L:

    Just a FYI.   Sophos GES team was able to get into my sophos XG unit and apply the VPN fix to my unit last week Friday.  So far so good.  All SA's remain up and active.

     

    -Scott

  • In reply to Scott_D_L:

    Hi all,

    good to hear this.

    I'm having the same issue with MR5 with 2 Cisco IPsec Tunnels using Apple macOS and iOS in parallel.

    Is there a possibility to apply the fix as a home user as well?

    Thanks and best regards

    Dom Nik

  • In reply to Scott_D_L:

    Has anyone else applied the fix from support?   Just curious how your experience has been?   

     

    -Scott

  • All of you folks are aware that VPN is a 3 decades old technology that Sophos just cannot figure out ?  It is not like if it was new tech.

    They just do not have the engineering staff required to achieve this.

    PJR

  • In reply to Big_Buck:

    Having exactly the same issue do we know what the fix is thats being applied?

  • In reply to Big_Buck:

    Agreed. I'm getting really tired of dealing with Sophos. We were early adopters of the XG and it's probably been one of my worst decisions. The platform is so far away from being enterprise-ready it's not even funny.