Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 75 replies
  • Answers 6 answers
  • Subscribers 61 subscribers
  • Views 24391 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 19.0.0GA Breaking IPSEC VPN's

Jeremy Thomas

We have 20+ Xg and XGS's deployed. We started pushing out the mentioned version updating from 18.5.3 MR-3 Build 408. The first 2 devices we updated had all kinds of VPN issues. Users could connect but the connection speed was garbage (less than 1mbps down). Was on the phone with support for over an hour. Finally they came back and said "after conferring with his colleagues there are issues with Version 19 we recommend you rollback". We did this and all the VPN issues were resolved.

FRUSTRATING to say the least. I have reached out to our Sophos Rep regarding this and updates moving forward but so far "Crickets"



This thread was automatically locked due to age.
  • 0 in reply to n.coker

    Generally speaking, Firewall Accelaration can affect this issue. Disable should resolve this issue. Fix will be in the next version (V19.5 GA for example). 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    We have a couple of setups where disabling firewall-accelaration and ipsec-acceleration does not solve the broken IPsec tunnels.
    XG to XGS IPSec tunnels seem to be a big issue. We just updated an XGS136 and an XG115 to v19.5 with no success.    v19.5 has no improvement, which is really bad.

  • 0 in reply to Matthias Naber

    This is tested and working setup in QA.

    I will DM you for more info on this.

  • 0

    We had a similar issue this week (we're currently on 19 MR1 / 19 GA) - out of nothing some print-jobs stopped getting processed or being delayed for minutes (Terminalserver, printing in BranchOffice through IPSec Site2Site).
    Took way too much time troubleshooting including replacement of affected printer, etc. Remotedesktop, Mail, Ping - everything fine all time. Nothing that points to an IPsec/Firewall related problem.

    In the end disabling firewall- and ipsec-acceleration on both ends "solved" this for now.

    ...but how to get the right time to re-enable DPI, SSL, FW-Acceleration, IPSec-Acceleration... which might cause multiple branches having downtimes and problems again...

    Everytime having a problem in future, that might relate to network/firewall, would guide me to disable nearly anything on SFOS first.
    Not good for Security, not good for Downtimes, not good for Sophos reputation, not good for end-customer satisfaction...

    This is not what to expect from enterprise firewall / utm or how to handle troubleshooting.

  • 0 in reply to FFin

    Just to be sure: Acceleration is not a security feature, instead a performance feature. 

    __________________________________________________________________________________________________________________

  • 0 in reply to MarkusMeister

    Update:

    The following issues are fixed in v19.5GA release: https://docs.sophos.com/releasenotes/index.html

    NC-101716

    NFP-Firewall

    Packet drop and slow file transfer with IPsec (IPsec acceleration) and NAT-T.

    NC-97058

    NFP-Firewall

    VPN traffic for specific tunnel periodically stops when IPsec acceleration is enabled.

    NC-100699

    IPsec

    SMB file transfer stops and doesn't recover with IPsec acceleration and policy-based VPN.
  • 0 in reply to LuCar Toni

    Hello,

    I tried this solution  yesterday when upgrading to v19.5.0

    Sophos support has told me, that performing following commands could help for non XGS devices:

    console> system ipsec-acceleration enable
    console> system ipsec-acceleration disable

    You will get this message:
    IPsec acceleration isn't available on XG Series hardware, virtual, software, and cloud devices.

     

    But we have still the same problem.
    I explain, we can connect to Sophos Connect without problem, and access to every ressources that are attached to the firewall that host the VPN Remote Access

    But when we want to access ressources connected in IPSEC VPN Site to site it's not working.

    That's weird because ping is ok and DNS resolution too.

    But every other services are not working (SSH, SMB, HTTP/S... etc), there are authorized in the rules

    Here a schema to explain


    So I rolled back to 18.5.3 and it's working

  • 0 in reply to Alexandre LANTOINE

    Could you try to disable the Firewall acceleration? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I did it yesterday but not worked
    And when I type in : console firewall-acceleration show

    Tell me that is a virtualised firewall so no firewall-acceleration available
    And no ipsec acceleration too

  • 0 in reply to Alexandre LANTOINE

    That is odd to me. 

    Azure Firewall: 

    Sophos Firmware Version: SFOS 19.5.0 GA-Build197
    Model: SFV6C8


    console> system firewall-acceleration show
    Firewall Acceleration is Enabled in Configuration.
    Firewall Acceleration is Not Loaded because Device is Not Supported.
    console>

    __________________________________________________________________________________________________________________

Unfiltered HTML