Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 37 subscribers
  • Views 873 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AWS Ipsec Traffic Stops

Max Roberts

Hi,

We have 8 sites connecting to AWS via Ipsec VPN. Every now and then at one of the sites the traffic flow stops and AWS alerts us to this through Cloudwatch. Traffic stops flowing through the VPN but Sophos says it is still connected. Only one site will have the issue, the others are fine. The only way to resolve this is to Deactivate and Reactivate the VPN in Sophos. We have attempted to resolve this by pinging the Sophos firewall on a regular basis from AWS but the problem still persists. I thought Dead Peer Detection would detect this but it doesn't.

Can anyone suggest how to prevent this from happening?

Thanks,

Max



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Could you please post snapshot of 'Key negotiation tries' & 'Dead Peer Detection' of both the ends along with their gateway type(initiate the connection/respond only)?

    Are you able to see any child SA termination events in the log viewer at the time of instance)?

    Logviewer > System > Apply filter with Value: IPsec

  • 0 in reply to FormerMember

    HI,

    Key negotiation tries are set to 0. DPD below:

    I found the following in the logs at that time:

    SYSTEM
    2021-04-23 16:44:49
    IPSec
    Deny
    received IKE message with invalid SPI (79BAFE18) from other side
    18050

    Cheers,

    Max

  • 0 in reply to FormerMember

    Hi Yash,

    Any thoughts? Why is DPD not detecting an issue. AWS knows there is an issue but not Sophos. How can I resolve this as it seems to be happening every day at random times at different locations.

    Thanks,
    Max

  • FormerMember
    0 FormerMember in reply to Max Roberts

    Hi ,

    Would it be possible for you to put the strongswan service in debugging and capture the logs around the issue time frame? 

    Is the XG firewall configured to initiate the connection or respond only? What are the re-key margin and key randomize margin configured with the policy used in this configuration? 

    Could you please double-check and compare the Phase-1 and Phase-2 values on AWS? 

    Check out the following Recommended Read for steps to collect strongswan logs in debugging: 

    Thanks,

  • 0

    Hi,

    We still seem to have this problem on an intermittent basis across all of our sites. At the time when this happens I always see the following in the log. It looks to me like AWS is initiating a rekey 16:15:59 but the configuration is set to respond only:

    2021-06-16 16:15:17 25[ENC] <XXX_AWS_1-1|159> parsed INFORMATIONAL_V1 request 1005583447 [ HASH N(DPD) ]

    2021-06-16 16:15:17 25[ENC] <XXX_AWS_1-1|159> generating INFORMATIONAL_V1 request 378320285 [ HASH N(DPD_ACK) ]

    2021-06-16 16:15:17 25[NET] <XXX_AWS_1-1|159> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:15:27 06[NET] <XXX_AWS_1-1|159> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:15:27 06[ENC] <XXX_AWS_1-1|159> parsed INFORMATIONAL_V1 request 191640263 [ HASH N(DPD) ]

    2021-06-16 16:15:27 06[ENC] <XXX_AWS_1-1|159> generating INFORMATIONAL_V1 request 159997697 [ HASH N(DPD_ACK) ]

    2021-06-16 16:15:27 06[NET] <XXX_AWS_1-1|159> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:15:37 05[NET] <XXX_AWS_1-1|159> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:15:37 05[ENC] <XXX_AWS_1-1|159> parsed INFORMATIONAL_V1 request 2610168473 [ HASH N(DPD) ]

    2021-06-16 16:15:37 05[ENC] <XXX_AWS_1-1|159> generating INFORMATIONAL_V1 request 1226452239 [ HASH N(DPD_ACK) ]

    2021-06-16 16:15:37 05[NET] <XXX_AWS_1-1|159> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:15:47 08[NET] <XXX_AWS_1-1|159> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:15:47 08[ENC] <XXX_AWS_1-1|159> parsed INFORMATIONAL_V1 request 4223438396 [ HASH N(DPD) ]

    2021-06-16 16:15:47 08[ENC] <XXX_AWS_1-1|159> generating INFORMATIONAL_V1 request 1009574769 [ HASH N(DPD_ACK) ]

    2021-06-16 16:15:47 08[NET] <XXX_AWS_1-1|159> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:15:50 25[IKE] <XXX_AWS_1-1|159> initiating Main Mode IKE_SA XXX_AWS_1-1[161] to XXX.XXX.XXX.XX

    2021-06-16 16:15:50 25[ENC] <XXX_AWS_1-1|159> generating ID_PROT request 0 [ SA V V V V V V ]

    2021-06-16 16:15:50 25[NET] <XXX_AWS_1-1|159> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (260 bytes)

    2021-06-16 16:15:50 28[NET] <XXX_AWS_1-1|161> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (160 bytes)

    2021-06-16 16:15:50 28[ENC] <XXX_AWS_1-1|161> parsed ID_PROT response 0 [ SA V V V V ]

    2021-06-16 16:15:50 28[IKE] <XXX_AWS_1-1|161> received XAuth vendor ID

    2021-06-16 16:15:50 28[IKE] <XXX_AWS_1-1|161> received DPD vendor ID

    2021-06-16 16:15:50 28[IKE] <XXX_AWS_1-1|161> received FRAGMENTATION vendor ID

    2021-06-16 16:15:50 28[IKE] <XXX_AWS_1-1|161> received NAT-T (RFC 3947) vendor ID

    2021-06-16 16:15:50 28[ENC] <XXX_AWS_1-1|161> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

    2021-06-16 16:15:50 28[NET] <XXX_AWS_1-1|161> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (244 bytes)

    2021-06-16 16:15:50 22[NET] <XXX_AWS_1-1|161> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (244 bytes)

    2021-06-16 16:15:50 22[ENC] <XXX_AWS_1-1|161> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

    2021-06-16 16:15:50 22[IKE] <XXX_AWS_1-1|161> remote host is behind NAT

    2021-06-16 16:15:50 22[ENC] <XXX_AWS_1-1|161> generating ID_PROT request 0 [ ID HASH ]

    2021-06-16 16:15:50 22[NET] <XXX_AWS_1-1|161> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (76 bytes)

    2021-06-16 16:15:50 29[NET] <XXX_AWS_1-1|161> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (76 bytes)

    2021-06-16 16:15:50 29[ENC] <XXX_AWS_1-1|161> parsed ID_PROT response 0 [ ID HASH ]

    2021-06-16 16:15:50 29[IKE] <XXX_AWS_1-1|161> IKE_SA XXX_AWS_1-1[161] established between XXX.XXX.XXX.XX[XXX.XXX.XXX.XX]...XXX.XXX.XXX.XX[XXX.XXX.XXX.XX]

    2021-06-16 16:15:50 29[IKE] <XXX_AWS_1-1|161> scheduling rekeying in 28406s

    2021-06-16 16:15:50 29[IKE] <XXX_AWS_1-1|161> maximum IKE_SA lifetime 28766s

    2021-06-16 16:15:50 27[IKE] <XXX_AWS_1-1|159> detected reauth of existing IKE_SA, adopting 2 children, 0 child tasks, and 0 virtual IPs

    2021-06-16 16:15:50 27[IKE] <XXX_AWS_1-1|161> ike XXX_AWS_1-1[161] adopted 0 children in REKEYING state

    2021-06-16 16:15:57 15[NET] <XXX_AWS_1-1|159> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:15:57 15[ENC] <XXX_AWS_1-1|159> parsed INFORMATIONAL_V1 request 1343644478 [ HASH N(DPD) ]

    2021-06-16 16:15:57 15[ENC] <XXX_AWS_1-1|159> generating INFORMATIONAL_V1 request 2377080804 [ HASH N(DPD_ACK) ]

    2021-06-16 16:15:57 15[NET] <XXX_AWS_1-1|159> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:15:59 07[NET] <162> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (180 bytes)

    2021-06-16 16:15:59 07[ENC] <162> parsed ID_PROT request 0 [ SA V V V V V ]

    2021-06-16 16:15:59 07[IKE] <162> received XAuth vendor ID

    2021-06-16 16:15:59 07[IKE] <162> received DPD vendor ID

    2021-06-16 16:15:59 07[IKE] <162> received FRAGMENTATION vendor ID

    2021-06-16 16:15:59 07[IKE] <162> received NAT-T (RFC 3947) vendor ID

    2021-06-16 16:15:59 07[IKE] <162> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

    2021-06-16 16:15:59 07[IKE] <162> XXX.XXX.XXX.XX is initiating a Main Mode IKE_SA

    2021-06-16 16:15:59 07[ENC] <162> generating ID_PROT response 0 [ SA V V V V V ]

    2021-06-16 16:15:59 07[NET] <162> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (180 bytes)

    2021-06-16 16:15:59 05[NET] <162> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (244 bytes)

    2021-06-16 16:15:59 05[ENC] <162> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]

    2021-06-16 16:15:59 05[IKE] <162> remote host is behind NAT

    2021-06-16 16:15:59 05[ENC] <162> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]

    2021-06-16 16:15:59 05[NET] <162> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (244 bytes)

    2021-06-16 16:15:59 24[NET] <162> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (76 bytes)

    2021-06-16 16:15:59 24[ENC] <162> parsed ID_PROT request 0 [ ID HASH ]

    2021-06-16 16:15:59 24[CFG] <162> looking for pre-shared key peer configs matching XXX.XXX.XXX.XX...XXX.XXX.XXX.XX[XXX.XXX.XXX.XX]

    2021-06-16 16:15:59 24[CFG] <162> selected peer config "XXX_AWS_1-1"

    2021-06-16 16:15:59 24[IKE] <XXX_AWS_1-1|162> IKE_SA XXX_AWS_1-1[162] established between XXX.XXX.XXX.XX[XXX.XXX.XXX.XX]...XXX.XXX.XXX.XX[XXX.XXX.XXX.XX]

    2021-06-16 16:15:59 24[IKE] <XXX_AWS_1-1|162> scheduling rekeying in 28381s

    2021-06-16 16:15:59 24[IKE] <XXX_AWS_1-1|162> maximum IKE_SA lifetime 28741s

    2021-06-16 16:15:59 24[ENC] <XXX_AWS_1-1|162> generating ID_PROT response 0 [ ID HASH ]

    2021-06-16 16:15:59 24[NET] <XXX_AWS_1-1|162> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (76 bytes)

    2021-06-16 16:15:59 19[IKE] <XXX_AWS_1-1|161> detected reauth of existing IKE_SA, adopting 2 children, 0 child tasks, and 0 virtual IPs

    2021-06-16 16:15:59 19[IKE] <XXX_AWS_1-1|162> ike XXX_AWS_1-1[162] adopted 0 children in REKEYING state

    2021-06-16 16:16:00 14[IKE] <XXX_AWS_1-1|159> deleting IKE_SA XXX_AWS_1-1[159] between XXX.XXX.XXX.XX[XXX.XXX.XXX.XX]...XXX.XXX.XXX.XX[XXX.XXX.XXX.XX]

    2021-06-16 16:16:00 14[IKE] <XXX_AWS_1-1|159> sending DELETE for IKE_SA XXX_AWS_1-1[159]

    2021-06-16 16:16:00 14[ENC] <XXX_AWS_1-1|159> generating INFORMATIONAL_V1 request 1634648538 [ HASH D ]

    2021-06-16 16:16:00 26[NET] <XXX_AWS_1-1|161> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:00 26[ENC] <XXX_AWS_1-1|161> parsed INFORMATIONAL_V1 request 122884279 [ HASH N(DPD) ]

    2021-06-16 16:16:00 14[NET] <XXX_AWS_1-1|159> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:00 26[ENC] <XXX_AWS_1-1|161> generating INFORMATIONAL_V1 request 3060422701 [ HASH N(DPD_ACK) ]

    2021-06-16 16:16:00 26[NET] <XXX_AWS_1-1|161> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:09 30[IKE] <XXX_AWS_1-1|161> deleting IKE_SA XXX_AWS_1-1[161] between XXX.XXX.XXX.XX[XXX.XXX.XXX.XX]...XXX.XXX.XXX.XX[XXX.XXX.XXX.XX]

    2021-06-16 16:16:09 30[IKE] <XXX_AWS_1-1|161> sending DELETE for IKE_SA XXX_AWS_1-1[161]

    2021-06-16 16:16:09 30[ENC] <XXX_AWS_1-1|161> generating INFORMATIONAL_V1 request 4073925084 [ HASH D ]

    2021-06-16 16:16:09 30[NET] <XXX_AWS_1-1|161> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:09 20[NET] <XXX_AWS_1-1|162> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:09 20[ENC] <XXX_AWS_1-1|162> parsed INFORMATIONAL_V1 request 2127052792 [ HASH N(DPD) ]

    2021-06-16 16:16:09 20[ENC] <XXX_AWS_1-1|162> generating INFORMATIONAL_V1 request 95783023 [ HASH N(DPD_ACK) ]

    2021-06-16 16:16:09 20[NET] <XXX_AWS_1-1|162> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:19 10[NET] <XXX_AWS_1-1|162> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:19 10[ENC] <XXX_AWS_1-1|162> parsed INFORMATIONAL_V1 request 1014202509 [ HASH N(DPD) ]

    2021-06-16 16:16:19 10[ENC] <XXX_AWS_1-1|162> generating INFORMATIONAL_V1 request 2672330899 [ HASH N(DPD_ACK) ]

    2021-06-16 16:16:19 10[NET] <XXX_AWS_1-1|162> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:29 18[NET] <XXX_AWS_1-1|162> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:29 18[ENC] <XXX_AWS_1-1|162> parsed INFORMATIONAL_V1 request 3022595740 [ HASH N(DPD) ]

    2021-06-16 16:16:29 18[ENC] <XXX_AWS_1-1|162> generating INFORMATIONAL_V1 request 1583078257 [ HASH N(DPD_ACK) ]

    2021-06-16 16:16:29 18[NET] <XXX_AWS_1-1|162> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:39 27[NET] <XXX_AWS_1-1|162> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:39 27[ENC] <XXX_AWS_1-1|162> parsed INFORMATIONAL_V1 request 337431904 [ HASH N(DPD) ]

    2021-06-16 16:16:39 27[ENC] <XXX_AWS_1-1|162> generating INFORMATIONAL_V1 request 15867549 [ HASH N(DPD_ACK) ]

    2021-06-16 16:16:39 27[NET] <XXX_AWS_1-1|162> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:49 11[NET] <XXX_AWS_1-1|162> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:49 11[ENC] <XXX_AWS_1-1|162> parsed INFORMATIONAL_V1 request 515715160 [ HASH N(DPD) ]

    2021-06-16 16:16:49 11[ENC] <XXX_AWS_1-1|162> generating INFORMATIONAL_V1 request 3592825138 [ HASH N(DPD_ACK) ]

    2021-06-16 16:16:49 11[NET] <XXX_AWS_1-1|162> sending packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

    2021-06-16 16:16:59 32[NET] <XXX_AWS_1-1|162> received packet: from XXX.XXX.XXX.XX[4500] to XXX.XXX.XXX.XX[4500] (92 bytes)

Unfiltered HTML