XG Firewall v18 MR-3: Feedback and experiences

Had the problem at two sites (out of four total) with MR1-396. Seems to have stopped with MR-3 at one site but the other still has multiple drops a day lasting 2-3 minutes. Opened a support case but 24 hours in still no response.

Do you use STAS? Sounds like the log off detection (STAS Quarantine) is hitting in your case.

https://support.sophos.com/support/s/article/KB-000035623?language=en_US

If you use STAS, select:

If this is not matching your Issue. Please open another Thread to keep the visibility here. 

Thanks LuCar Toni. I clearly don't learn because you resolved exactly the same problem for me at our own site about a year ago. Now made big notes on our STAS documentation. I find it difficult to understand why the default is 'yes'. It is more secure but who on earth would want to have their internet traffic stopped for a couple of minutes every few hours? Had only one drop in nearly a week. That was after an IPS definition update so i suspect a different issue and am monitoring to see if that is a recurring problem. Will follow up in a new post if it is.

I have a number of site to site VPNs with Draytek 2862's that have been rock solid.

if you can post your Draytek settings, I'll compare them to mine.

Hi Argo - Are you still facing the problem ? If yes, as I have mentioned before, we dont have the Draytek device, would you mind sharing the setup to go through the config ?

Hi All, here is the config which is set. The UTM is not problem at all but the XG just will not stay pinned up.

here is the Draytek 2862 config, I have tried both IKEv1 and IKEv2 both have the same problem.

also the IKE phase 2 key lifetime is set at 28800 as support asked me to change it

Here is the XG v18 MR3 policy

support are looking at it, but there is not much in the way of a fix only one comment, and trying to wait for them to get back is becoming tedious.

any help appreciated.

Random reboots on 3 devices with IPSec tunnels, mostly after

2020-10-29 14:02:46 09[KNL] creating rekey job for CHILD_SA ESP/0xcc15ee12/XX.XX.XX.XX

and a alot of  errors:

user.err kernel: [ 3949.228631] packet dropped in ipsec0 device

Do we talk about Route based VPN or Policy based Tunnels? Do you have standalone or HA appliance? Which Size? 

Giridhar Katti / FloSupport could we look into this? 

IPsec site to site VPN, Route based, on standalone Virtual Appliances (4vCPU 6G RAM).
Today I disabled reboot on crash, to see the kernel dump.

Hi Argo

Most of your settings are the same as mine, with the exception of some of the timeout values.

The main difference I can see is in your IPSec policy - Dead Peer Detection. If I understand correctly, with no traffic, this will cause your VPN to disconnect. Maybe try disabling and see if that resolves your problem.

BTW, I feel your pain with Sophos Support - I can't get Radius authentication to work across my VPNs since replacing a Sonicwall with an XG. Response from support has been appalling!