Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 1482 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec connection is Down after migrating systems to another data center (WAN IP changed)

cap admin

The information provided by clients is as below

From our admin side, we already amended the information such as local subnet and remote subnet as below except the interface wan1

Do we need to match the interface also? We do not know how to create such interface because we only have the IP address of the data center.

The connection is still down. Please advise what we should do. Thanks.

Best regards,

Joshua



This thread was automatically locked due to age.
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    Take a look at the following KB. If the issue persists, please take a TCPdump on the WAN interface of the Sophos Firewall to confirm packets are arriving from the new Public IP.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi

    Below is the log message. It should be the problem #2. How should we solve it? 

    023-11-28 10:41:29 18[CFG] vici initiate 'NGO_C042-2'

    2023-11-28 10:41:29 24[IKE] <NGO_C042-1|54443> initiating Main Mode IKE_SA NGO_C042-1[54443] to 58.64.201.68

    2023-11-28 10:41:29 24[ENC] <NGO_C042-1|54443> generating ID_PROT request 0 [ SA V V V V V V ]

    2023-11-28 10:41:29 24[NET] <NGO_C042-1|54443> sending packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

    2023-11-28 10:41:29 04[NET] <54444> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

    2023-11-28 10:41:29 04[ENC] <54444> parsed ID_PROT request 0 [ SA V V V V V V ]

    2023-11-28 10:41:29 04[IKE] <54444> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

    2023-11-28 10:41:29 04[ENC] <54444> generating INFORMATIONAL_V1 request 2421491937 [ N(NO_PROP) ]

    2023-11-28 10:41:29 04[NET] <54444> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

    2023-11-28 10:41:29 20[NET] <NGO_C042-1|54443> received packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

    2023-11-28 10:41:29 20[ENC] <NGO_C042-1|54443> parsed INFORMATIONAL_V1 request 2421491937 [ N(NO_PROP) ]

    2023-11-28 10:41:29 20[IKE] <NGO_C042-1|54443> received NO_PROPOSAL_CHOSEN error notify

    2023-11-28 10:41:29 20[IKE] <NGO_C042-1|54443> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER

    2023-11-28 10:41:29 20[IKE] <NGO_C042-1|54443> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

    2023-11-28 10:41:30 05[CFG] vici initiate 'NGO_C042-1'

    2023-11-28 10:41:30 22[IKE] <NGO_C042-1|54445> initiating Main Mode IKE_SA NGO_C042-1[54445] to 58.64.201.68

    2023-11-28 10:41:30 22[ENC] <NGO_C042-1|54445> generating ID_PROT request 0 [ SA V V V V V V ]

    2023-11-28 10:41:30 22[NET] <NGO_C042-1|54445> sending packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

    2023-11-28 10:41:30 20[NET] <54446> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

    2023-11-28 10:41:30 20[ENC] <54446> parsed ID_PROT request 0 [ SA V V V V V V ]

    2023-11-28 10:41:30 20[IKE] <54446> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

    2023-11-28 10:41:30 20[ENC] <54446> generating INFORMATIONAL_V1 request 2710311803 [ N(NO_PROP) ]

    2023-11-28 10:41:30 20[NET] <54446> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

    2023-11-28 10:41:30 30[NET] <NGO_C042-1|54445> received packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

    2023-11-28 10:41:30 30[ENC] <NGO_C042-1|54445> parsed INFORMATIONAL_V1 request 2710311803 [ N(NO_PROP) ]

    2023-11-28 10:41:30 30[IKE] <NGO_C042-1|54445> received NO_PROPOSAL_CHOSEN error notify

    2023-11-28 10:41:30 30[IKE] <NGO_C042-1|54445> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER

    2023-11-28 10:41:30 30[IKE] <NGO_C042-1|54445> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

    2023-11-28 10:41:33 20[NET] <54447> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (172 bytes)

    2023-11-28 10:41:33 20[ENC] <54447> parsed ID_PROT request 0 [ SA V V V V ]

    2023-11-28 10:41:33 20[IKE] <54447> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

    2023-11-28 10:41:33 20[ENC] <54447> generating INFORMATIONAL_V1 request 3237227655 [ N(NO_PROP) ]

    2023-11-28 10:41:33 20[NET] <54447> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

    2023-11-28 10:41:33 31[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (9074E8A6) from other side

    2023-11-28 10:41:33 31[DMN] [GARNER-LOGGING] (log_garner) failed to send message to garner, gr_io() has problems

    2023-11-28 10:41:36 16[NET] <54448> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (172 bytes)

    2023-11-28 10:41:36 16[ENC] <54448> parsed ID_PROT request 0 [ SA V V V V ]

    2023-11-28 10:41:36 16[IKE] <54448> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

    2023-11-28 10:41:36 16[ENC] <54448> generating INFORMATIONAL_V1 request 2959873058 [ N(NO_PROP) ]

    2023-11-28 10:41:36 16[NET] <54448> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

    2023-11-28 10:41:36 29[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (9074E8A6) from other side

    2023-11-28 10:41:36 29[DMN] [GARNER-LOGGING] (log_garner) failed to send message to garner, gr_io() has problems

    2023-11-28 10:41:38 20[IKE] <NGO_C009-1|44798> sending DPD request

    2023-11-28 10:41:38 20[ENC] <NGO_C009-1|44798> generating INFORMATIONAL_V1 request 2463943609 [ HASH N(DPD) ]

    2023-11-28 10:41:38 20[NET] <NGO_C009-1|44798> sending packet: from 58.64.201.68[500] to 61.93.221.166[500] (92 bytes)

    2023-11-28 10:41:38 31[NET] <NGO_C009-1|44798> received packet: from 61.93.221.166[500] to 58.64.201.68[500] (92 bytes)

    2023-11-28 10:41:38 31[ENC] <NGO_C009-1|44798> parsed INFORMATIONAL_V1 request 4225468694 [ HASH N(DPD_ACK) ]

    2023-11-28 10:41:42 16[NET] <54449> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (172 bytes)

    2023-11-28 10:41:42 16[ENC] <54449> parsed ID_PROT request 0 [ SA V V V V ]

    2023-11-28 10:41:42 16[IKE] <54449> no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN

    2023-11-28 10:41:42 16[ENC] <54449> generating INFORMATIONAL_V1 request 3711632964 [ N(NO_PROP) ]

    2023-11-28 10:41:42 16[NET] <54449> sending packet: from 58.64.201.68[500] to 152.101.24.21[500] (40 bytes)

    2023-11-28 10:41:42 29[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (9074E8A6) from other side

    2023-11-28 10:41:42 29[DMN] [GARNER-LOGGING] (log_garner) failed to send message to garner, gr_io() has problems

  • 0 in reply to cap admin

    Hi  ,


    It seems there is some routing loop as per the log you shared - the sent and received  packet is on the same node.

    2023-11-28 10:41:29 24[NET] <NGO_C042-1|54443> sending packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

    2023-11-28 10:41:29 04[NET] <54444> received packet: from 152.101.24.21[500] to 58.64.201.68[500] (272 bytes)

    The above log you provided seems to indicate that a packet was sent from an IP address (152.101.24.21) to another IP address (58.64.201.68) and was simultaneously received on the same node 

    Can you check if there is some network misconfiguration ? 

    PS: "no IKE config found for 58.64.201.68...152.101.24.21, sending NO_PROPOSAL_CHOSEN" indicate there is no IPsec Tunnel configuration with the said localgateway (58.64.201.68) and remotegateway (152.101.24.21) on the Node which received it. 


    Regards,

    Vamshi

Unfiltered HTML