Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 3 answers
  • Subscribers 41 subscribers
  • Views 4881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN to Draytek do not reconnect randomly

Andrej Pirman

Hi,

I have XGS-126 as IPSec VPN client, calling Draytek router as VPN server. I also tried to reverse sides, but the problem remains the same.

From time to time, very randomly, it might be once every 2-3 weeks, or even so frequently like 4 times in 1 hour, VPN tunnel drops and does not re-establish connection. Sometimes manually clicking the red VPN dot establishes connection, but sometimes not.

Sophos LOGS are not helping me to diagnose, just a lot of:

IKE message retransmission to <Draytek IP> timed out. Check if the remote gateway is reachable.

I have VPN Profile settings just mirrored, what's on Draytek side:

  • IKE Phase 1, Re-key connection = ON
  • DPD = ON
  • DPD check every: 60 seconds
  • DPD When Peer Unreachable = Re-initiate
  • Dos Protection = OFF
  • DoS & Spoof exceptions added for both IPs as source and destination

When there was Draytek - Draytek VPN, on the same lines, VPN was rock-stable, never ever had problems.

Ideas welcome.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  ,

    Good day and thanks for reaching out to Sophos Community and hope you are well.

    Few queries

    Was this previously working before and not having any issues?

    If yes,

    -does a firmware upgrade happened and then this issue occured (if yes-from which firmware to which firmware?)
    - was there any configuration changes on either ends? or any ISP change/downtime on either ends?

    Kindly check as well, if DPD policy is configured as Re-initiate:

    Additionally you may Kindly check this IPsec S2S Troubleshooting guide for issues: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/t_VPNIPsecSiteToSiteTroubleShootCommonErrors/index.html

    Hope this helps. Thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi Raphael,

    I am not sure if I reply in correct manner, as this forum design is strange to me (see below...I see duplicated reply, once only a part of it, then below again same reply, but in whole...don't get it, lol)

    Well, NO. VPN was working fine for few years with Drayteks on both sides, no problems ever. Then I added Sophos XGS-126 to one site and rewrote the IPSec VPN to reflact Draytek settings, and ever since it is dropping randomly. But it might even be up for few weeks without problems, or drop dozen times in one day, totally random.

    I will go through LOGS, following your troubleshooting guide and see, how it goes. Thank you!

    BTW...this is how I see this forum, weird duplicated posts...

  • 0 in reply to Andrej Pirman

    Hello Andrej,

    Thank you for the update.

    They’re  "duplicated entries" what happens is when somebody marks an answer as suggested, it moves to the Top of the Post. Hence, it’s easier/faster to identify a suggested/valid answer in the post. (Usually, the first Suggested answer will only show until there’s a verified answer (Green) 

    You should see "TOP Replies" on the Top left part. 

    As per your issue, I would recommend you to get a case open with Support for them to investigate along with you, I suspect that the issue might be related to IPsec acceleration (you can try to disable it from the console of the Sophos Firewall via Putty (4) and running 

    console> system ipsec-acceleration disable

    However, this would be only a workaround and not a solution. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • 0 in reply to Andrej Pirman

    Hello Andrej,

    Thank you for the update.

    They’re  "duplicated entries" what happens is when somebody marks an answer as suggested, it moves to the Top of the Post. Hence, it’s easier/faster to identify a suggested/valid answer in the post. (Usually, the first Suggested answer will only show until there’s a verified answer (Green) 

    You should see "TOP Replies" on the Top left part. 

    As per your issue, I would recommend you to get a case open with Support for them to investigate along with you, I suspect that the issue might be related to IPsec acceleration (you can try to disable it from the console of the Sophos Firewall via Putty (4) and running 

    console> system ipsec-acceleration disable

    However, this would be only a workaround and not a solution. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
No Data
Unfiltered HTML