Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 19.0.0GA Breaking IPSEC VPN's

We have 20+ Xg and XGS's deployed. We started pushing out the mentioned version updating from 18.5.3 MR-3 Build 408. The first 2 devices we updated had all kinds of VPN issues. Users could connect but the connection speed was garbage (less than 1mbps down). Was on the phone with support for over an hour. Finally they came back and said "after conferring with his colleagues there are issues with Version 19 we recommend you rollback". We did this and all the VPN issues were resolved.

FRUSTRATING to say the least. I have reached out to our Sophos Rep regarding this and updates moving forward but so far "Crickets"



This thread was automatically locked due to age.
Parents Reply Children
  • Hello Jeremy,

    Thank for the confirmation. 

    As the engineer mentioned in their last email, try disabling the IPsec acceleration from the console (5>4)of the Sophos Firewall.

    console> system ipsec-acceleration show

    console> system ipsec-acceleration disable

    Let us know by updating the ticket or this thread if this "fixed" the issue (if you are willing to move back to v19).

    For anyone following: The disable the IPsec acceleration should be only considered a work around, and a ticket should be open with Support to troubleshoot.
    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • We will try and test on a spare machine.  But this seems like a "bandaid" if it does work.  What is the fix moving forwared?  Is this going to be addressed in the next release?

  • Hello Jeremy,

    Sorry I forgot to type it in here, but yes this isn’t a solution only a workaround.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Ok So we have some more information.   Both of the Box's that we updated to version 19 that had VPN issues were XGS's (116 and 126).  We had also updated some XG's but those clients did not utilize VPN.  We set up a VPN config on the XG's that were on Version 19 but did not have VPN configs already.  Ran Speed tests and the speed was just fine (no work around).     We had one other XGS that we had also Updated to 19 but also did not have any VPN configs on, so we never rolled it back.  We tested on this box by setting up a IPSEC VPN config and connecting, the Connection was VERY SLOW.  So we applied the "band aid fix" and speeds returned to normal!  

    So as far as I can tell this issue ONLY effects XGS's  NOT XG     Hope this helps but would like clarification before continuing to roll out even on the XG's that we had not yet updated.

    Thanks

  • I have an XGS 116 and noticed how the slow IPSec VPN was right after I updated. Using the IPSec profile and Sophos connect client it would connect but RDP was extremely slow and pretty much unusable. I just tried your workaround and it works. RDP was very quick. If I re-enable IPSec acceleration it is very slow again. If I create my own VPN connection on my mac (system preferences/network/add a VPN connection it is quick. So from my findings, there is something going on with IPSec acceleration, IPSec remote access profile and Sophos Connect Client. I was also able to reproduce this on my iPhone. Hope this helps.

  • Im just a general punter, this seems to confirm what you have stated.

    https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/IPsecPolicies/index.html#encryption-authentication-shared-secret-and-key-life

    "Currently, hardware acceleration for IPsec VPN is only available on some XG Series devices. It accelerates and compresses cryptographic workloads and is available for IPsec VPN connections on XG 125 Rev.3, XG 135 Rev.3, and XG 750 appliance models.

    It's turned on by default. To turn it off, go to the command-line console."

    Sophos, why on earth would you enable a setting by default which only works on a few old devices!


  • That is not correct. 

    XG125,135,750 have a special chip to do Hardware Acceleration. But XGS has the NPU, which is a own processor unit. In the end it does not matter how you activate the option. But people here report issues on XGS hardware as well. This means, the problem exists even on hardware which has a NPU. 

    The Online Help is from V18.5. V19.0 included the new encryption support of the NPU. 

    __________________________________________________________________________________________________________________

  • Disabling IPSec acceleration worked on our XGS116.

  • Hi Emmanuel,

    we are facing the same issue, and need to know when it will be fixed?

    Do you have already a Bug-ID for this problem or at least further information about?

    Thank you!

    Markus