Hello,
this is not the question. This is description of one problem ... Solution is known but hidden. I decided to retell the story by other words because I still remember tries of angry users lynching me ... :-) Maybe it will help somebody
We are using several Sophos XG and GXS firewalls with VPN tunnels.
For some reason (dynamic routing, simple usage, possibility of sniffing etc.) we prefere encrypted GRE (since older version) and xfrm (since it appeared in services).
Our experience was that encrypted GRE sometimes hangs – indicators of tunnel status are both green at both sides, but data are not going through tunnel. It is not possible to even ping through tunnel to peer. Solution was / is disable and enable tunnel. We transfered most of tunnels with this problem to xfrm and it is OK.
I did upgrade to 19.0.1 (skip of 19.0.0) from 18.5.x and at several places appeared problems with tunnels.
As I wrote – these tunnels were based at xfrm and behaviour was similar as with GRE – both indicators at both sides were OK, but nothing came through tunnels. Solution was to disable and enable tunnel. Does not matted which side it was. But these problems appeared at several tunnels from higher amount.
Relationship of this behaviour with upgrade to 19.0.1 was logical. But why it happened at a few of tunnels from some amount ? (other bad feature was that it appeared several days after upgrade and with different intensity – sometimes one drop in day, sometimes 3, sometimes no drop; and last day before finding workaround it was each nearly 20 minutes; if you try to ask why we did not open support case, answer is simple – we opened it ...).
After some investigations we recognized, that it happens only in case when at at least one side of tunnel XGS is used.
I tried to google, but maybe made bad question. My colleague was happier. He found this discussion :
Version 19.0.0GA Breaking IPSEC VPN's - Discussions - Sophos Firewall - Sophos Community
There is workaround with switching off hardware acceleration of IPSec encryption. Here is set of commands (via 4. Device Console)
system ipsec-acceleration show
system ipsec-acceleration disable
system ipsec-acceleration enable
Problem should be solved in 19.0.2.
It is 4th day since applying of workaround with no dropout.
Have a nice day,
Petr
This thread was automatically locked due to age.