XG86 Random Issue on SSL Site to Site VPN after upgrade to 19

I have a Site to Site (XG is server) and before upgrade all work for year.

After upgrade randomly (i think this happen on night for some sevice restart maybe?) the firewall not use the Tunnel to Route the traffic

The VPN is working from the other site to this, only this to other stop working.

On log page you can see this (192.168.1.x is the remote network)

After editing config and saving (i think this reconnect vpn) al start working again

What i can do?? Only wait a fix? Is rather annoying almost every day i have to fix this

Thanks



Added v19.1 TAG
[edited by: Erick Jan at 5:18 AM (GMT -8) on 30 Nov 2022]
  • What's the exact version of SFOS you are using? Can you send a screenshot?

    What is at the other end of the tunnel?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Latest relase: SFOS 19.0.1 MR-1-Build365
    The other end is an ASUS router: RT-AC51U

    On this firewall we have an IPSEC site to site, varius client SSL VPN.. al of this work without problem
    Already fixed the range for the new setting of the ssl vpn on v19

    Another note: the VPN is working from the other site to this, only this to other stop working

  • Could you share the ipsec config screen shot and the sdwan routing config screen shot ? We will take a look at this issue and update on this soon.

  • As the subject is the SSL VPN not working... IPSEC work normal. No config is changed after upgrade. The problem started immediately after update.. Editing and saving SSL Site to Site config re-enabled the normal behaviour for some time

    On SDWAN routing i have only a config for the Wifi to use one GW instead of the other

    But here:

    Dont share SSL vpn config screenshot because there no particular setting on the gui only lan names

    Here obfuscated config file for ssl svpn

    {"server_address":["88.x.x.x","192.168.178.250","192.3.3.250"],"authentication_algorithm":"SHA256","password":"****","key":"-----BEGIN RSA PRIVATE KEY-----***\n-----END RSA PRIVATE KEY-----","server_dn":"C=IT, ST=NA, L=Capriolo, O=***, OU=OU, CN=***, emailAddress=***","server_port":"8443","username":"****","encryption_algorithm":"AES-128-CBC","protocol":"udp","compression":"1","ca_cert":"-----BEGIN CERTIFICATE-----\n{"server_address":["88.x.x.x","192.168.178.250","192.3.3.250"],"authentication_algorithm":"SHA256","password":"***","key":"-----BEGIN RSA PRIVATE KEY-----\n***\n-----END RSA PRIVATE KEY-----","server_dn":"C=IT, ST=NA, L=Capriolo, O=***, OU=OU, CN=***, emailAddress=***","server_port":"8443","username":"***","encryption_algorithm":"AES-128-CBC","protocol":"udp","compression":"1","ca_cert":"-----BEGIN CERTIFICATE-----\n***\n-----END CERTIFICATE-----","certificate":"-----BEGIN CERTIFICATE-----\n***\n-----END CERTIFICATE-----"}

  • In non-working case, can you check if route for the remote network is installed on the XGS (through the route command on the shell) ?

  • Hello Lorena,

    Thank you for contacting the Sophos Community.

    So after editing and saving the config, the issue got resolved?, however, the issue re-appears after a while. Is this what you mean?

    If so, I would recommend you have a specific working computer with a static IP, that can access the same destination IP, and when the issue starts happening again, test using the same computer and same destination IP (as in the working scenario).

    Once the issue is happening again, do a GUI Packet Capture to confirm which Firewall Rule is the computer using.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • So after editing and saving the config, the issue got resolved?, however, the issue re-appears after a while. Is this what you mean?

    Yes exactly. Today not happening so is not daily basis... But after update happened already 3 times

    You can already see on my screen wich rules.. And is changing before and after the problem...

    Did you mean PCAP capure?

    This the working one:

  • Here we are when dont work

    Disconnect from the other end work for little time (15/30 minutes)

    Editing and saving config seems work for a long time

  • Hello Lorena,

    Thank you for the update.

    I would recommend you get a case created with Support for tracking the issue.

    Next\ time this happens, can you do a drop-packet-capture on the CLI of the Sophos Firewall?

    https://support.sophos.com/support/s/article/KB-000036858?language=en_US

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • drop-packet-capture no packet dropped. Tried drop-packet-capture 'dst host 192.168.1.1', drop-packet-capture 'src host 192.3.3.150' and drop-packet-capture 'net 19.168.1'... With drop-packet-capture 'net 192.3.3' i can see logs for other traffic


    I can confirm the problem is the route
    When work:

    XG86_AM01_SFOS 19.0.1 MR-1-Build365# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.0.50.0 * 255.255.255.0 U 0 0 0 Port1.20
    10.81.234.0 * 255.255.255.0 U 0 0 0 tun0
    10.255.0.0 * 255.255.255.0 U 0 0 0 GuestAP
    81.174.0.21 * 255.255.255.255 UH 0 0 0 Port2_ppp
    192.3.3.0 * 255.255.255.0 U 0 0 0 Port1
    192.168.1.0 10.81.234.1 255.255.255.0 UG 0 0 0 tun0
    192.168.33.0 * 255.255.255.0 U 0 0 0 Port1.10
    192.168.120.0 * 255.255.255.0 U 0 0 0 Port1.40
    192.168.150.0 * 255.255.255.0 U 0 0 0 Port1.30
    192.168.178.0 * 255.255.255.0 U 0 0 0 Port3


    When not work:
    XG86_AM01_SFOS 19.0.1 MR-1-Build365# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.0.50.0 * 255.255.255.0 U 0 0 0 Port1.20
    10.81.234.0 * 255.255.255.0 U 0 0 0 tun0
    10.255.0.0 * 255.255.255.0 U 0 0 0 GuestAP
    81.174.0.21 * 255.255.255.255 UH 0 0 0 Port2_ppp
    192.3.3.0 * 255.255.255.0 U 0 0 0 Port1
    192.168.33.0 * 255.255.255.0 U 0 0 0 Port1.10
    192.168.120.0 * 255.255.255.0 U 0 0 0 Port1.40
    192.168.150.0 * 255.255.255.0 U 0 0 0 Port1.30
    192.168.178.0 * 255.255.255.0 U 0 0 0 Port3


    The 192.168.1.1 route is missing

    As i said traffic from the other side work just fine...so the tunnel is connected
    Disconnect from the other side... work for a little time (less than 10min)
    Only edit and save configuration work for a long time (sometime even 3/4 days.. Maybe is do to less or no traffic from the other side tha trigger the fault. I can't understand why reconnect from the other side work for a little time do)