We have XG 18.0.4 MR-4.
We are migrating from UTM, where the L2TP VPNs worked perfectly.
We have added all users (local authentication) to the XG. Users now connect to the XG from home, we have made no change at the Windows end.
Our VPN users are being disconnected randomly, but regularly.
I want to try and work out if it is the client (Windows 10) that is asking for the disconnection, or the XG.
I have looked through access_server.log and charon.log, but there's a lot of data and I'm not sure what I'm looking for.
Is there an easy way to determine which end is causing the disconnection?
Thanks for your comment, we are going to try the OVPN-style SSL VPN.
I'll mark this as closed and verify your answer.
Thank you for contacting the Sophos Community.
Is this only affecting L2TP users or users of SSL VPN or Sophos Connect, if you have any?
In the charon.log you could search for the word, "DELETE" and then search in the log for that time of frame
# less charon.log | grep "delete"
Once you get the time run the same command without the grep and using Pag UP or Page Down search what happened around the time the user got disconnected
# less charon.log
Hi Emmo, thanks will try that now.
..we have only L2TP users, so it only happens to them.
Thanks for that. I have spent some time analysing the logs, and cannot see anything that looks very troublesome. There are lots of DELETES coming from the client, but these are the Child SAs rekeying (sometimes every 2-3 minutes). The VPN seems to keep working and the parent IKE SA stays up.
So, I'm wondering if there are reconnects at the L2TP level - PPP for example. Can you suggest any logs that I could look at for L2TP or PPP?
Hi Adrian,you are using L2TP + IPSec right? Are you also using 2FA? We have seen this on SSL-VPN connections after the key renewal time (in our case exactly 12 hours) which seems not to work (I assume because of reauthentication). Not sure whether this might be the case for L2TP as well.Best regards,BeEF
Thank you for the follow-up.
Try putting the access_server in debug mode
service access_server:debug -ds nosync
service strongswan:debug -ds nosync
Additionally, you could search in the logs by using the source Public IP.
Also as BeEf mentioned, do you have any type of 2FA?
Thanks for responding. Yes, this is L2TP+Ipsec but no, not with 2FA. But your comments have been noted.
Thanks - will have a look.
I have caught the XG in the act of disconnecting VPNs.
In charon.log, I get thousands of messages like this:
2021-03-08 14:18:58 03[NET] ignoring IKE_SA setup from WWW.XXX.YYY.ZZZ, peer too aggressive
They come in groups of several hundred with the same IP WWW.XXX.YYY.ZZZ. Then, the IP changes and I get hundreds with the next IP.
These are L2TP over IPSec dial-up VPNs from Windows clients.
Any help would be appreciated.
For me this looks like something is trying to hack your IPSec connection ... However something from Sophos might be able to clarify what this means exactly.If your logging is activated you probably see also entries from WWW.XXX.YYY.ZZZ to your WAN interace. (Most probably on Port 500 or 4500).