Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 75 replies
  • Answers 6 answers
  • Subscribers 61 subscribers
  • Views 24391 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 19.0.0GA Breaking IPSEC VPN's

Jeremy Thomas

We have 20+ Xg and XGS's deployed. We started pushing out the mentioned version updating from 18.5.3 MR-3 Build 408. The first 2 devices we updated had all kinds of VPN issues. Users could connect but the connection speed was garbage (less than 1mbps down). Was on the phone with support for over an hour. Finally they came back and said "after conferring with his colleagues there are issues with Version 19 we recommend you rollback". We did this and all the VPN issues were resolved.

FRUSTRATING to say the least. I have reached out to our Sophos Rep regarding this and updates moving forward but so far "Crickets"



This thread was automatically locked due to age.
Parents
  • 0

    Hello Jeremy,

    Thank you for contacting the Sophos Community.

    Just to confirm you’re the same user from Reddit that mentioned about Case ID 05337528?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to Jeremy Thomas

    Hello Jeremy,

    Thank for the confirmation. 

    As the engineer mentioned in their last email, try disabling the IPsec acceleration from the console (5>4)of the Sophos Firewall.

    console> system ipsec-acceleration show

    console> system ipsec-acceleration disable

    Let us know by updating the ticket or this thread if this "fixed" the issue (if you are willing to move back to v19).

    For anyone following: The disable the IPsec acceleration should be only considered a work around, and a ticket should be open with Support to troubleshoot.
    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    We will try and test on a spare machine.  But this seems like a "bandaid" if it does work.  What is the fix moving forwared?  Is this going to be addressed in the next release?

  • 0 in reply to Jeremy Thomas

    Hello Jeremy,

    Sorry I forgot to type it in here, but yes this isn’t a solution only a workaround.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Ok So we have some more information.   Both of the Box's that we updated to version 19 that had VPN issues were XGS's (116 and 126).  We had also updated some XG's but those clients did not utilize VPN.  We set up a VPN config on the XG's that were on Version 19 but did not have VPN configs already.  Ran Speed tests and the speed was just fine (no work around).     We had one other XGS that we had also Updated to 19 but also did not have any VPN configs on, so we never rolled it back.  We tested on this box by setting up a IPSEC VPN config and connecting, the Connection was VERY SLOW.  So we applied the "band aid fix" and speeds returned to normal!  

    So as far as I can tell this issue ONLY effects XGS's  NOT XG     Hope this helps but would like clarification before continuing to roll out even on the XG's that we had not yet updated.

    Thanks

  • 0 in reply to emmosophos

    I have an XGS 116 and noticed how the slow IPSec VPN was right after I updated. Using the IPSec profile and Sophos connect client it would connect but RDP was extremely slow and pretty much unusable. I just tried your workaround and it works. RDP was very quick. If I re-enable IPSec acceleration it is very slow again. If I create my own VPN connection on my mac (system preferences/network/add a VPN connection it is quick. So from my findings, there is something going on with IPSec acceleration, IPSec remote access profile and Sophos Connect Client. I was also able to reproduce this on my iPhone. Hope this helps.

Reply
  • 0 in reply to emmosophos

    I have an XGS 116 and noticed how the slow IPSec VPN was right after I updated. Using the IPSec profile and Sophos connect client it would connect but RDP was extremely slow and pretty much unusable. I just tried your workaround and it works. RDP was very quick. If I re-enable IPSec acceleration it is very slow again. If I create my own VPN connection on my mac (system preferences/network/add a VPN connection it is quick. So from my findings, there is something going on with IPSec acceleration, IPSec remote access profile and Sophos Connect Client. I was also able to reproduce this on my iPhone. Hope this helps.

Children
No Data
Unfiltered HTML