Version 19.0.0GA Breaking IPSEC VPN's

Question

We have 20+ Xg and XGS's deployed. We started pushing out the mentioned version updating from 18.5.3 MR-3 Build 408. The first 2 devices we updated had all kinds of VPN issues. Users could connect but the connection speed was garbage (less than 1mbps down). Was on the phone with support for over an hour. Finally they came back and said "after conferring with his colleagues there are issues with Version 19 we recommend you rollback". We did this and all the VPN issues were resolved. 
 FRUSTRATING to say the least. I have reached out to our Sophos Rep regarding this and updates moving forward but so far "Crickets"

emmosophos · Answer

Hello Jeremy, 
 Thank for the confirmation. 
 As the engineer mentioned in their last email, try disabling the IPsec acceleration from the console (5>4)of the Sophos Firewall. 
 console> system ipsec-acceleration show 
 console> system ipsec-acceleration disable 
 Let us know by updating the ticket or this thread if this "fixed" the issue (if you are willing to move back to v19). 
 For anyone following: The disable the IPsec acceleration should be only considered a work around, and a ticket should be open with Support to troubleshoot. Regards,

LuCar Toni · Answer

That is not correct. 
 XG125,135,750 have a special chip to do Hardware Acceleration. But XGS has the NPU, which is a own processor unit. In the end it does not matter how you activate the option. But people here report issues on XGS hardware as well. This means, the problem exists even on hardware which has a NPU. 
 The Online Help is from V18.5. V19.0 included the new encryption support of the NPU.

Alok · Answer

Hi Seroal, 
 By default IPsec acceleration is disabled on all appliances except XGS. 
 XG135w_XN03_SFOS 19.0.0 GA-Build317# 
 console> system ipsec-acceleration show IPsec acceleration isn't available on XG Series hardware, virtual, software, and cloud devices. 
 console> system ipsec-acceleration enable IPsec acceleration isn't available on XG Series hardware, virtual, software, and cloud devices. 
 console> system ipsec-acceleration disable IPsec acceleration isn't available on XG Series hardware, virtual, software, and cloud devices. 
 can you try running this command on your XG450 and see anything different?

Alok · Answer

Update: 
 The following issues are fixed in v19.5GA release: https://docs.sophos.com/releasenotes/index.html

NC-101716

NFP-Firewall

Packet drop and slow file transfer with IPsec (IPsec acceleration) and NAT-T.

NC-97058

NFP-Firewall

VPN traffic for specific tunnel periodically stops when IPsec acceleration is enabled.

NC-100699

IPsec

SMB file transfer stops and doesn't recover with IPsec acceleration and policy-based VPN.

John Nickell · Answer

We had a support session regarding the Wireless /IPSEC acceleration issue last Friday after I was able to be on site an affected location. We were able to reproduce one of the issues IF we enabled IPSEC acceleration and returned the MTU on our wireless devices' control plane to 1500. In this configuration the remote site's AP were unable to connect to the controller in a remote site and therefore did not broadcast any SSID's in the remote site. Assuming that IPSEC acceleration was already turned on prior to the updated to 19.5 (we had not turned it on or off explicitly prior to this event). 
 We seem to have come to a stable configuration with IPSEC acceleration turned on and the MTU of the wireless devices' control plane set to 1400. 
 These changes were required after the update to 19.5 and were not required while running 19 MR1.

Alexandre LANTOINE · Answer

Hello I just updated the FW and tested your command 
 It was already disable 
 But for the test I enable/disable it 
 And it's finally working !!! Thanks a lot

Version 19.0.0GA Breaking IPSEC VPN's

Top Replies