Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 37 subscribers
  • Views 548 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One IPSec SA in a site to site between XG310s and an ASA Context gets hung requiring reset of tunnel

Jessica Law

I have a pair of XG 310s in Active/Standby at customer prem working fine.  From there I have a site to site VPN tunnel to my Data Center in a nearby town terminating on a Cisco ASA Firewall context.  The two Local customer subnets are the one for local traffic at the customer's site (192.168.0.0/16) and a subnet carved out for the Remote Access VPN users still working from home for Covid, a /24 carved out of the 10.0.0.0/8 space.   This tunnel comes up fine and both IPSec SAs come up and traffic passes no problem.  However, eventually the SA between the RA users (the 10.x.x.x/24) and the DC subnets (also in a 10.x.x.x/24 net but not overlapping) gets hung.  A bounce of the tunnel brings it back up.

Any suggestions on what could be causing this or how to fix it?

Thanks,



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Community! 

    Would it be possible for you to share the screenshot of the IPsec connection and policy details? 

    We also need to review the strongswan logs in debugging when an issue occurs next time.

    Steps to put the strongswan service in debug:

    • SSH into the XG firewall by following this KBA: Sophos XG Firewall: How to SSH to the firewall using PuTTY utility
      • To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
      • Select option 5 Device Management.
      • Select option 3 Advanced Shell.
    • To put the strongswan service in debug, type the following command: service strongswan:debug -ds nosync
      • Output
        • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service strongswan:debug -ds nosync
          200 OK
    • Run the following command to check the status of the service: service -S | grep strongswan
      • Output
        • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service -S | grep strongswan
          strongswan RUNNING,DEBUG
    • Note: Run the same command to remove the service from the debug.

    You could send me the logs/screenshot via personal message. 

    Thanks,

Unfiltered HTML