This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

kein IPsec VPN nach Upgrade auf SFOS 20.0.1 MR-1-Build342

Uwe Bohnhoff 5 months ago

Hello,

all our Site-to-Site-VPN don't work again after upgrading from SFOS 20.0.0 GA-Build222 to SFOS 20.0.1 MR-1-Build342.

In the log we find:

(unnamed) - Couldn't parse IKE message from ..

Also all outgoing remote IPSec don't work again after upgrading:

Child SA (Security Association) konnte nicht hergestellt werden.

Can anyone help?

Thanks

Uwe

This thread was automatically locked due to age.

Top Replies

vamshi d 5 months ago +1

Hi Uwe Bohnhoff ,Could you please confirm if the Site-to-Site VPN is between two XG devices? If not, could you provide the vendor details of the remote firewall? Regards, Vamshi

Parents

0 Sebastian Ramsauer 4 months ago

Hello,
we have the same error. However, after updating to SFOS 20.0.1 MR-1-Build342, we rolled back to SFOS 20.0.0 GA-Build222. Since then, the IPsec connections with Sophos Connect no longer work. These worked perfectly before. 

Error message: Child SA (Security Association) konnte nicht hergestellt werden.
Couldn't parse IKE message from ..

Is there already a solution or a HowTo for this?

Thanks

Sebastian

0 Mayur Makvana 4 months ago in reply to Sebastian Ramsauer

Hello Sebastian Ramsauer ,

Thank you for reaching to Sophos Community!

Please add strongswan service in debug using below command from advanced shell:

service strongswan:debug -ds nosync (Use the same command to disable after collecting the logs)

Use below command to collect the strongswan logs:

cd /log

tail -f strongswan.log

Also, collect the tcpdump on remote public IP as below:

tcpdump -nei any host remoteIP

Kindly share us these logs to validate.

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Mayur Makvana 4 months ago in reply to Sebastian Ramsauer

Hello Sebastian Ramsauer ,

Thank you for reaching to Sophos Community!

Please add strongswan service in debug using below command from advanced shell:

service strongswan:debug -ds nosync (Use the same command to disable after collecting the logs)

Use below command to collect the strongswan logs:

cd /log

tail -f strongswan.log

Also, collect the tcpdump on remote public IP as below:

tcpdump -nei any host remoteIP

Kindly share us these logs to validate.

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data