Hi
We have around 40 XGs deployed in Azure for our customers. We host a solution that needs to connect back to the customer datacenter/premise to pull data over. We have a few tunnels on various XGs that just seem to die off after a couple days. When reviewing the strongswan.log, the CHILD_SAs rekey just fine, and then it just disappears along with about 75% of them. The ones that are up appear to have been initiated by the other side, so it appears that the strongswan daemon just stops rekeying things until we take the tunnel down and bring it back up.
- DPD messages are working
- Seems to affect IKEv2 more/only
- Traffic initiation from local side does not build the SA
- Traffic initiation from remote side seems to build the SA, so it seems
- No event of the SA being deleted, it just vanishes after the last rekey line in the strongswan.log
- Have verified with the customer that all policy settings match
- Have verified that the crypto map (local/remote subnets) objects match
- Have had the Cisco admins disable SA idle-timeout. ASAs like to remove the SAs after 30 minutes of no traffic, Sophos builds them right back possibly causing stress to strongswan.
- Cisco admins have removed the "Bytes Lifetime" from the config (set to unlimited), since Sophos doesn't support that life type
I would contact "premium support" but they are never helpful. Has anyone ever gotten decent help from creating a issue on the support portal? Is this an issue with Strongswan or the implementation of it inside XG?
This thread was automatically locked due to age.