One IPSec SA in a site to site between XG310s and an ASA Context gets hung requiring reset of tunnel

I have a pair of XG 310s in Active/Standby at customer prem working fine.  From there I have a site to site VPN tunnel to my Data Center in a nearby town terminating on a Cisco ASA Firewall context.  The two Local customer subnets are the one for local traffic at the customer's site (192.168.0.0/16) and a subnet carved out for the Remote Access VPN users still working from home for Covid, a /24 carved out of the 10.0.0.0/8 space.   This tunnel comes up fine and both IPSec SAs come up and traffic passes no problem.  However, eventually the SA between the RA users (the 10.x.x.x/24) and the DC subnets (also in a 10.x.x.x/24 net but not overlapping) gets hung.  A bounce of the tunnel brings it back up.

Any suggestions on what could be causing this or how to fix it?

Thanks,



Edited TAGs
[edited by: emmosophos at 8:46 PM (GMT -7) on 14 Apr 2021]
  • Hi ,

    Thanks for reaching out, and welcome to the Community! 

    Would it be possible for you to share the screenshot of the IPsec connection and policy details? 

    We also need to review the strongswan logs in debugging when an issue occurs next time.

    Steps to put the strongswan service in debug:

    • SSH into the XG firewall by following this KBA: Sophos XG Firewall: How to SSH to the firewall using PuTTY utility
      • To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
      • Select option 5 Device Management.
      • Select option 3 Advanced Shell.
    • To put the strongswan service in debug, type the following command: service strongswan:debug -ds nosync
      • Output
        • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service strongswan:debug -ds nosync
          200 OK
    • Run the following command to check the status of the service: service -S | grep strongswan
      • Output
        • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service -S | grep strongswan
          strongswan RUNNING,DEBUG
    • Note: Run the same command to remove the service from the debug.

    You could send me the logs/screenshot via personal message. 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.