Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 39 subscribers
  • Views 5815 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos connect Client a lot of "received IKE message with invalid SPI" - MR10

StefanS

Hi there / Support,

After upgrading from MR9 to MR10, connecting with "Sophos connect client" to the firewall is very unstable.
There are several error messages in system like this:

- IKE message retransmission timed out

- received IKE message with invalid SPI

This is really bad because, we just want to roll out the new VPN client.
Is this a bug or feature?

Thanks for any help.
Stefan



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Did you observe that when you receive these messages in Log viewer, are you facing any disconnection or VPN communication issue?

    I would request you to share your observation in details, It would help us to assist you better.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Hi Keyur,
    We can say the following.
    We have been using the "Sophos connect Client" (latest version) successfully for about a week rolled out and put into operation.
    With the MR9 saw no connection problem, only since last night after upgrading from MR9 to MR10.
    The colleagues complain that the VPN tunnel is not always successfully established when the first connection attempt is made.
    In this case, the "Sophos connect Client" makes several new connection attempts until it is ultimately successful.
    Similarly, we see said error message in the system log file:

    - IKE message retransmission timed out

    on the client site:

    2020-03-05 12:19:27PM 06[ENC] <StandortWecker|1> generating INFORMATIONAL_V1 request 1827697255 [ HASH D ]
    2020-03-05 12:19:27PM 06[NET] <StandortWecker|1> sending packet: from 192.168.43.9[49666] to 213.XXX.XXX.XXX[4500] (108 bytes)
    2020-03-05 12:19:27PM 06[IKE] <StandortWecker|1> Removing DNS server 172.XXX.XXX.XXX from the TAP adapter
    2020-03-05 12:19:27PM 06[IKE] <StandortWecker|1> 172.XXX.XXX.XXX count is 0, doing remove
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 06[IKE] <StandortWecker|1> Removing DNS server 172.XXX.XXX.XXX from the TAP adapter
    2020-03-05 12:19:27PM 06[IKE] <StandortWecker|1> 172.XXX.XXX.XXX count is 0, doing remove
    2020-03-05 12:19:27PM 06[KNL] <StandortWecker|1> Removing virtual IP 10.XXX.XXX.XXX

    If you need additional information, get in touch.

    regards

Reply
  • 0 in reply to Keyur

    Hi Keyur,
    We can say the following.
    We have been using the "Sophos connect Client" (latest version) successfully for about a week rolled out and put into operation.
    With the MR9 saw no connection problem, only since last night after upgrading from MR9 to MR10.
    The colleagues complain that the VPN tunnel is not always successfully established when the first connection attempt is made.
    In this case, the "Sophos connect Client" makes several new connection attempts until it is ultimately successful.
    Similarly, we see said error message in the system log file:

    - IKE message retransmission timed out

    on the client site:

    2020-03-05 12:19:27PM 06[ENC] <StandortWecker|1> generating INFORMATIONAL_V1 request 1827697255 [ HASH D ]
    2020-03-05 12:19:27PM 06[NET] <StandortWecker|1> sending packet: from 192.168.43.9[49666] to 213.XXX.XXX.XXX[4500] (108 bytes)
    2020-03-05 12:19:27PM 06[IKE] <StandortWecker|1> Removing DNS server 172.XXX.XXX.XXX from the TAP adapter
    2020-03-05 12:19:27PM 06[IKE] <StandortWecker|1> 172.XXX.XXX.XXX count is 0, doing remove
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 14[NET] sending packet failed: 10022
    2020-03-05 12:19:27PM 06[IKE] <StandortWecker|1> Removing DNS server 172.XXX.XXX.XXX from the TAP adapter
    2020-03-05 12:19:27PM 06[IKE] <StandortWecker|1> 172.XXX.XXX.XXX count is 0, doing remove
    2020-03-05 12:19:27PM 06[KNL] <StandortWecker|1> Removing virtual IP 10.XXX.XXX.XXX

    If you need additional information, get in touch.

    regards

Children
No Data
Unfiltered HTML