Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2698 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG310v3 HA Active/Standby site-to-site VPN connections, 19.5.3. Unable to edit, delete or change status.

Esa Salminen

Figured as since I cannot find anyone else experiencing this issue, wanted to highlight this here if it helps someone else or if Sophos want to investigate themselves.

FW type, config and version in subject.

TLDR: Disable HA if you experience issues with site-to-site VPN connections that cannot be edited, deleted or change their status.


Progression and troubleshooing.

Have about 10 site-to-site connections configured. Added another to a customer location.
After a day, the tunnel went down. Unable to reconnect. Log keeps filling up with the far end gateway cannot be reached.

Go in and try to edit the connection to troubleshoot, this is seemingly impossible.



Unable to do any kind of edit to the connection, or enable/disable it.

Attempted to resolve this by.
1. Different browsers and different users, including the main admin account.
2. Connecting to the firewall webUI from different subnets just in case of network issues.
3. Switching over the firewalls between Aux and Primary.

Rolled back to 19.5.2 and its old config from 2 weeks ago. This resolved it for a while, VPN tunnel set up again.
Forward to the next day, same problem. Same issue, this time however none of the site-to-site connections could reliably be shut down, reconnected or edited.
Firewall would say the same as above, or claim:



Could not edit, delete, disconnect or reconnect the connection.
Much later, the connection deleted itself seemingly.

Even though the site-to-site connection was deleted, and its underlying VPN profile, this was filling up the log every few seconds with 5 in a row.


Figured since the HA cluster may not be able to clear something, I disconnected the HA pair Aux firewall. Instantly the site-to-site tunnels recovered.
Setup the site-to-site connection that was intitially causing it and it worked instantly. UI is snappy again from being slow.
Upgraded back to 19.5.3, all site-to-site connections have remained stable for a few hours now.

Will leave the HA offline for now and see, but it seems to be the root cause of it.
Haven't done any changes or moved any cabling in years. Will however inspect these and wipe the Aux firewall and start over fresh before I join it back to HA.

Anyone experienced something similar with HA?



This thread was automatically locked due to age.
  • 0

    So essentially there is something broken with your HA setup or was broken. Maybe the sync did break.

    What kind of appliance do you use? 

    And do you have the SSMK set? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for your reply, however at this point this post is a bit misleading as HA seemingly isn't the root cause of the one site-to-site connection that keeps breaking everything.

    This connection cannot be deactivated, edited nor deleted again about a day after being setup.
    Will have to cycle the firewall again tonight.

    And yes, the SSMK is set.
    Will have to force my MSP to raise this with Sophos directly as this must be a software bug, however not sure exactly what triggers it except for this specific site-to-site connection.

    Unsure about what you're asking on which appliance I am using as its in the subject. 2x XG310v3.

    This is for a corporate environment.

  • 0 in reply to Esa Salminen

    Have found that with this Site-to-site connection gets into the state of not being removable, nor deactivate nor edit - the only thing that works is to have HA disabled, and reboot the remaining firewall - then quickly after reboot delete the site-to-site config before it becomes a permanent site-to-site configuration.

    Changed the VPN profile for this setup, with different IKE key life etc, will test this for another day and see if remains stable. If not, will reach out to support directly.

    Never seen anything like it.

  • 0 in reply to Esa Salminen

    Okey, so yes, after changing the VPN profile for this site-to-site connection, totally changed all the IKE settings, DH group etc the  tunnel remains up and is no longer causing havoc in the fragile XG firmware.

    Wanted to put this out here, if someone else comes across this - as I have not seen this before, nor seen other threads about it.

    Note, that if you got a locked up connection that cannot be deleted, deactivated nor edited. The only way seemingly is to kill HA (if setup) and reboot the remaining firewall, once back up - quickly delete the offending site-to-site connection.

    Only took me basically a full day in total to figure this out and schedule outages at night/late evenings to work on it.

  • 0 in reply to Esa Salminen

    Esa Salminen , we have tried to recreate this issue few times by having ~ 25 s2s ipsec (PBVPN) tunnels on XG310 HA pair, but did not hit this issue; in case, if you hit this again, please share the logs (/log/charon.log, /log/applog.log, /log/csc.log on both Primary and Aux nodes) or reach out to Sophos support.

Unfiltered HTML