Figured as since I cannot find anyone else experiencing this issue, wanted to highlight this here if it helps someone else or if Sophos want to investigate themselves.
FW type, config and version in subject.
TLDR: Disable HA if you experience issues with site-to-site VPN connections that cannot be edited, deleted or change their status.
Progression and troubleshooing.
Have about 10 site-to-site connections configured. Added another to a customer location.
After a day, the tunnel went down. Unable to reconnect. Log keeps filling up with the far end gateway cannot be reached.
Go in and try to edit the connection to troubleshoot, this is seemingly impossible.
Unable to do any kind of edit to the connection, or enable/disable it.
Attempted to resolve this by.
1. Different browsers and different users, including the main admin account.
2. Connecting to the firewall webUI from different subnets just in case of network issues.
3. Switching over the firewalls between Aux and Primary.
Rolled back to 19.5.2 and its old config from 2 weeks ago. This resolved it for a while, VPN tunnel set up again.
Forward to the next day, same problem. Same issue, this time however none of the site-to-site connections could reliably be shut down, reconnected or edited.
Firewall would say the same as above, or claim:
Could not edit, delete, disconnect or reconnect the connection.
Much later, the connection deleted itself seemingly.
Even though the site-to-site connection was deleted, and its underlying VPN profile, this was filling up the log every few seconds with 5 in a row.
Figured since the HA cluster may not be able to clear something, I disconnected the HA pair Aux firewall. Instantly the site-to-site tunnels recovered.
Setup the site-to-site connection that was intitially causing it and it worked instantly. UI is snappy again from being slow.
Upgraded back to 19.5.3, all site-to-site connections have remained stable for a few hours now.
Will leave the HA offline for now and see, but it seems to be the root cause of it.
Haven't done any changes or moved any cabling in years. Will however inspect these and wipe the Aux firewall and start over fresh before I join it back to HA.
Anyone experienced something similar with HA?
This thread was automatically locked due to age.