This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN disconnections

Hi,

We have XG 18.0.4 MR-4.

We are migrating from UTM, where the L2TP VPNs worked perfectly.

We have added all users (local authentication) to the XG.  Users now connect to the XG from home, we have made no change at the Windows end.

Our VPN users are being disconnected randomly, but regularly.

I want to try and work out if it is the client (Windows 10) that is asking for the disconnection, or the XG.

I have looked through access_server.log and charon.log, but there's a lot of data and I'm not sure what I'm looking for.

Is there an easy way to determine which end is causing the disconnection?

Thanks

Adrian



This thread was automatically locked due to age.
Parents
  • Hello Adrian,

    Thank you for contacting the Sophos Community.

    Is this only affecting L2TP users or users of SSL VPN or Sophos Connect, if you have any?

    In the charon.log you could search for the word, "DELETE" and then search in the log for that time of frame

    # less charon.log | grep "delete"

    Once you get the time run the same command without the grep and using Pag UP or Page Down search what happened around the time the user got disconnected

    # less charon.log 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmo,

    Thanks for that.  I have spent some time analysing the logs, and cannot see anything that looks very troublesome.  There are lots of DELETES coming from the client, but these are the Child SAs rekeying (sometimes every 2-3 minutes).  The VPN seems to keep working and the parent IKE SA stays up.

    So, I'm wondering if there are reconnects at the L2TP level - PPP for example.  Can you suggest any logs that I could look at for L2TP or PPP?

    Thanks

    Adrian

  • Hello Adrian,

    Thank you for the follow-up.

    Try putting the access_server in debug mode 

    service access_server:debug -ds nosync

    service strongswan:debug -ds nosync

    Additionally, you could search in the logs by using the source Public IP.

    Also as BeEf mentioned, do you have any type of 2FA?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    Thanks - will have a look.

    Regards

    Adrian

  • Hi,

    I have caught the XG in the act of disconnecting VPNs.

    In charon.log, I get thousands of messages like this:

    2021-03-08 14:18:58 03[NET] ignoring IKE_SA setup from WWW.XXX.YYY.ZZZ, peer too aggressive

    They come in groups of several hundred with the same IP WWW.XXX.YYY.ZZZ.  Then, the IP changes and I get hundreds with the next IP. 

    These are L2TP over IPSec dial-up VPNs from Windows clients.

    Any help would be appreciated.

    Thanks

    Adrian

  • For me this looks like something is trying to hack your IPSec connection ... However something from Sophos might be able to clarify what this means exactly.


    If your logging is activated you probably see also entries from WWW.XXX.YYY.ZZZ to your WAN interace. (Most probably on Port 500 or 4500).

  • Hello there,

    Thank you for the follow-up.

    Can you change the Windows Machine to use Main Mode or change your L2TP policy to ikev1.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmo,

    The Windows dial-up VPNs are already main mode and IKEv1.

    , I've looked through the IPs that are doing this, and eventually they do reconnect and are legitimate users.

    I'm wondering if "something happens in the XG", and then all L2TP VPNs get disconnected (we usually have 50-70 VPNs connected) .  Then, they all try to reconnect at the same time, causing the XG to be overloaded.  Possibly, they all disconnect without the XG knowing at the IPSEC level, so as they try and reconnect, there are a load of half-working SAs, adding to the confusion.

    I'm not sure what to do.  I like the L2TP because it is easy to deploy (it is built-in to Windows, and can be configured with a login script).  PPTP is also easy, but we would fail our PCI scan because it is less secure.  Perhaps an IKE2 might be better (also built-in to windows). 

    Other options, as far as I can make out, are IPSEC (I think this is OpenVPN, needs a client installation) and SSL (know nothing about the XG implementation).  If anyone has had success with the XG, I would be interested to hear from them.

    Thanks

    Adrian

  • PPTC should not be used nowadays. To insecure.

    Open VPN is an implementation of SSL-VPN. AFIK the IPSec Implementation of Sophos is Sophos Connect (at least part of it).

    We have implemented SSL-VPN with 2FA successfully. However the connection times out after the key renewal  time.

Reply
  • PPTC should not be used nowadays. To insecure.

    Open VPN is an implementation of SSL-VPN. AFIK the IPSec Implementation of Sophos is Sophos Connect (at least part of it).

    We have implemented SSL-VPN with 2FA successfully. However the connection times out after the key renewal  time.

Children