XG Firewall v18 MR-3: Feedback and experiences

Hi, good start.

installed and running okay.
Bug that was supposed to be fixed in this version.IMAP scanning has not been fixed, still the same issue that imap rejects the CA that is acceptable by smtp/s scanning.

ian

Hi All,

good start as well,

1. had a customer who has been having issues with Client IPSec VPNs disconnecting throughout the day, no longer happening since upgrade!

2. My home unit now reacts better and is a lot smoother as well.

the only bad point is that another customer is still having issues with a S2S IKE v2 VPN disconnecting throughout the day, even after upgrade, and when there is no traffic on the connection.

Between the XG210 and a Draytek 2862 - both on latest firmware - if anyone has any ideas I would love to hear them (as I have now resorted to using support, which could be months before it is even looked at)

Hi Argo,

We would have checked this issue in the lab, but we dont have the Draytek box. Will it be possible to share the device for debug ?

I have a number of site to site VPNs with Draytek 2862's that have been rock solid.

if you can post your Draytek settings, I'll compare them to mine.

Hi Argo - Are you still facing the problem ? If yes, as I have mentioned before, we dont have the Draytek device, would you mind sharing the setup to go through the config ?

Hi Argo - Are you still facing the problem ? If yes, as I have mentioned before, we dont have the Draytek device, would you mind sharing the setup to go through the config ?

Hi All, here is the config which is set. The UTM is not problem at all but the XG just will not stay pinned up.

here is the Draytek 2862 config, I have tried both IKEv1 and IKEv2 both have the same problem.

also the IKE phase 2 key lifetime is set at 28800 as support asked me to change it

Here is the XG v18 MR3 policy

support are looking at it, but there is not much in the way of a fix only one comment, and trying to wait for them to get back is becoming tedious.

any help appreciated.

Hi Argo

Most of your settings are the same as mine, with the exception of some of the timeout values.

The main difference I can see is in your IPSec policy - Dead Peer Detection. If I understand correctly, with no traffic, this will cause your VPN to disconnect. Maybe try disabling and see if that resolves your problem.

BTW, I feel your pain with Sophos Support - I can't get Radius authentication to work across my VPNs since replacing a Sonicwall with an XG. Response from support has been appalling!

I will try this, although would the disconnect happen after 8 hours or the time on the DPD?

Hello Argo,

the lifetime of Phase I and Phase II keys cannot be the same. The key life for Phase I is recommended to be at least twice as long as for Phase II.
Personally, I use a lifetime 7800 seconds for Phase I and 3600 seconds for Phase II. It is important that the lifetime for Phase II is not an integer multiple of the lifetime for Phase I. In this case, the multiple is 2.166666666666667.

Try these times and I think the IPsec tunnel will be stable and functional.

The setting for Dead Peer Detection has no effect on the stability of the IPsec tunnel in this case.

Regards

alda

well it is still yo-yoing even after changing the DPD setting, I have now changed the key lifetimes to your settings (although this is the first time as they always just work).

at the moment I am willing to try anything as support communication is going downhill

I will keep you updated

Hi All, I am using this account as my other account (Argo) Sophos is unable to fix at the moment.

I still have the issue with the S2S VPN and still nothing from Support.

Do you have any further ideas?