Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec connection is Down after migrating systems to another data center (WAN IP changed)

cap admin

The information provided by clients is as below

From our admin side, we already amended the information such as local subnet and remote subnet as below except the interface wan1

Do we need to match the interface also? We do not know how to create such interface because we only have the IP address of the data center.

The connection is still down. Please advise what we should do. Thanks.

Best regards,

Joshua



This thread was automatically locked due to age.
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    Take a look at the following KB. If the issue persists, please take a TCPdump on the WAN interface of the Sophos Firewall to confirm packets are arriving from the new Public IP.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Are you a Sophos Partner?Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The award-winning home for Sophos Support video! - Visit Sophos Techvids
    • 0 in reply to emmosophos

      Hi

      Below is the log message. It should be the problem #2. How should we solve it? 

      023-11-28 10:41:29 18[CFG] vici initiate 'NGO_C042-2'

      2023-11-28 10:41:29 24[IKE] <NGO_C042-1|54443> initiating Main Mode IKE_SA NGO_C042-1[54443] to 58.64.201.68

      2023-11-28 10:41:29 24[ENC] <NGO_C042-1|54443> generating ID_PROT request 0 [ SA V V V V V V ]

      2023-11-28 10:41:29 24[NET] <NGO_C042-1|54443> sending packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

      2023-11-28 10:41:29 04[NET] <54444> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

      2023-11-28 10:41:29 04[ENC] <54444> parsed ID_PROT request 0 [ SA V V V V V V ]

      2023-11-28 10:41:29 04[IKE] <54444> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

      2023-11-28 10:41:29 04[ENC] <54444> generating INFORMATIONAL_V1 request 2421491937 [ N(NO_PROP) ]

      2023-11-28 10:41:29 04[NET] <54444> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

      2023-11-28 10:41:29 20[NET] <NGO_C042-1|54443> received packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

      2023-11-28 10:41:29 20[ENC] <NGO_C042-1|54443> parsed INFORMATIONAL_V1 request 2421491937 [ N(NO_PROP) ]

      2023-11-28 10:41:29 20[IKE] <NGO_C042-1|54443> received NO_PROPOSAL_CHOSEN error notify

      2023-11-28 10:41:29 20[IKE] <NGO_C042-1|54443> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER

      2023-11-28 10:41:29 20[IKE] <NGO_C042-1|54443> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

      2023-11-28 10:41:30 05[CFG] vici initiate 'NGO_C042-1'

      2023-11-28 10:41:30 22[IKE] <NGO_C042-1|54445> initiating Main Mode IKE_SA NGO_C042-1[54445] to 58.64.201.68

      2023-11-28 10:41:30 22[ENC] <NGO_C042-1|54445> generating ID_PROT request 0 [ SA V V V V V V ]

      2023-11-28 10:41:30 22[NET] <NGO_C042-1|54445> sending packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

      2023-11-28 10:41:30 20[NET] <54446> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

      2023-11-28 10:41:30 20[ENC] <54446> parsed ID_PROT request 0 [ SA V V V V V V ]

      2023-11-28 10:41:30 20[IKE] <54446> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

      2023-11-28 10:41:30 20[ENC] <54446> generating INFORMATIONAL_V1 request 2710311803 [ N(NO_PROP) ]

      2023-11-28 10:41:30 20[NET] <54446> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

      2023-11-28 10:41:30 30[NET] <NGO_C042-1|54445> received packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

      2023-11-28 10:41:30 30[ENC] <NGO_C042-1|54445> parsed INFORMATIONAL_V1 request 2710311803 [ N(NO_PROP) ]

      2023-11-28 10:41:30 30[IKE] <NGO_C042-1|54445> received NO_PROPOSAL_CHOSEN error notify

      2023-11-28 10:41:30 30[IKE] <NGO_C042-1|54445> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER

      2023-11-28 10:41:30 30[IKE] <NGO_C042-1|54445> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

      2023-11-28 10:41:33 20[NET] <54447> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (172 bytes)

      2023-11-28 10:41:33 20[ENC] <54447> parsed ID_PROT request 0 [ SA V V V V ]

      2023-11-28 10:41:33 20[IKE] <54447> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

      2023-11-28 10:41:33 20[ENC] <54447> generating INFORMATIONAL_V1 request 3237227655 [ N(NO_PROP) ]

      2023-11-28 10:41:33 20[NET] <54447> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

      2023-11-28 10:41:33 31[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (9074E8A6) from other side

      2023-11-28 10:41:33 31[DMN] [GARNER-LOGGING] (log_garner) failed to send message to garner, gr_io() has problems

      2023-11-28 10:41:36 16[NET] <54448> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (172 bytes)

      2023-11-28 10:41:36 16[ENC] <54448> parsed ID_PROT request 0 [ SA V V V V ]

      2023-11-28 10:41:36 16[IKE] <54448> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

      2023-11-28 10:41:36 16[ENC] <54448> generating INFORMATIONAL_V1 request 2959873058 [ N(NO_PROP) ]

      2023-11-28 10:41:36 16[NET] <54448> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

      2023-11-28 10:41:36 29[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (9074E8A6) from other side

      2023-11-28 10:41:36 29[DMN] [GARNER-LOGGING] (log_garner) failed to send message to garner, gr_io() has problems

      2023-11-28 10:41:38 20[IKE] <NGO_C009-1|44798> sending DPD request

      2023-11-28 10:41:38 20[ENC] <NGO_C009-1|44798> generating INFORMATIONAL_V1 request 2463943609 [ HASH N(DPD) ]

      2023-11-28 10:41:38 20[NET] <NGO_C009-1|44798> sending packet: from 58.64.201.68[500] to 61.93.221.166[500] (92 bytes)

      2023-11-28 10:41:38 31[NET] <NGO_C009-1|44798> received packet: from 61.93.221.166[500] to 58.64.201.68[500] (92 bytes)

      2023-11-28 10:41:38 31[ENC] <NGO_C009-1|44798> parsed INFORMATIONAL_V1 request 4225468694 [ HASH N(DPD_ACK) ]

      2023-11-28 10:41:42 16[NET] <54449> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (172 bytes)

      2023-11-28 10:41:42 16[ENC] <54449> parsed ID_PROT request 0 [ SA V V V V ]

      2023-11-28 10:41:42 16[IKE] <54449> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

      2023-11-28 10:41:42 16[ENC] <54449> generating INFORMATIONAL_V1 request 3711632964 [ N(NO_PROP) ]

      2023-11-28 10:41:42 16[NET] <54449> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

      2023-11-28 10:41:42 29[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (9074E8A6) from other side

      2023-11-28 10:41:42 29[DMN] [GARNER-LOGGING] (log_garner) failed to send message to garner, gr_io() has problems

      • 0 in reply to cap admin

        Hi  ,


        It seems there is some routing loop as per the log you shared - the sent and received  packet is on the same node.

        2023-11-28 10:41:29 24[NET] <NGO_C042-1|54443> sending packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

        2023-11-28 10:41:29 04[NET] <54444> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

        The above log you provided seems to indicate that a packet was sent from an IP address (152.101.24.21) to another IP address (58.64.201.68) and was simultaneously received on the same node 

        Can you check if there is some network misconfiguration ? 

        PS: "no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN" indicate there is no IPsec Tunnel configuration with the said localgateway (58.64.201.68) and remotegateway (152.101.24.21) on the Node which received it. 


        Regards,

        Vamshi