Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 39 subscribers
  • Views 2629 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG125 with 20 MR2 blocks UDP 500/4500 after upgrade from MR1

juergenb52

Hello,

i need some help.

I have a Branch Office wiht a XG125 and SFOS 20 MR1 up and running.
Laptop connects over a APX320 AP and get a WiFi IP Address.

Laptop was able to connect through Microsoft Always ON VPN (IKEv2) with UDP 500/4500 find to the Head Office Always ON VPN Server.

After upgrading to SFOS 20 MR2, VPN is broken and Laptop claims, that UDP 500/4500 is blocked by the firewall.

If i move the laptop to my home office, all is fine and nothing is blocked.

Is there any change in MR2, that blocks VPN?

I already disabled some rule in device console with

set ips ac_atr exception fwrules 5,6

I already regreated a new WLAN, with the same problem.

I checked for dropped packages (Sophos Firewall: Monitor dropped packets using CLI).

Any idea?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Thank you for reaching out to Sophos Community.

    Can you share the case ID? If none, I recommend creating one so that this can be further isolated if the cause is the upgrade, and kindly share the case ID.

    Also, are all devices affected? Have you tried on different devices within the same network upon testing?

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Thanks,
    i tried different laptops.
    All users have this problem if they are connected to APX AP´s.
    If the use a mobile connection or a LANCOM Router, there is no problem at all.

    Only if connected to Sophos Firewall.

    I need to open a case.

    A wireshark trace on the laptop show´s , that the destination VPN Server (pfsense firewall) is not responding.

    Looks like the packages never leave the WiFi (at the Branch Office).

  • 0 in reply to juergenb52

    Thank you for the information, 

    Please share the case ID here so we can monitor your case.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    I was able to solve the problem, there was a misconfiguration in the rules.
    I had a set up with an old XG115w with MR2 and was able to check the rules.

    I noticed two bugs during setup.

    During the setup wizard, you are asked for the timezone.
    If I enter Europe/Berlin here,
    the APs are assigned a USA configuration and the WLAN adapters end up in the LAN zone.

    Could be done better.

  • 0 in reply to juergenb52

    After 90 minutes, WifFi fails for a few minutes and Problem is back.

    Must be the old WiFi bug or a new bug with MR2

    Case ID 01867960

  • 0 in reply to juergenb52

    not Solved?

    Your APX is managed by central or Firewall (Bridge to AP-LAN or separate Zone .. may be an MTU problem)

    If you connect the notebook by wire to the branch firewall ... problem didn't exist?

    Possible to do a packet-capture using "host xxx.xxx.xxx.xxx and port 500" as BTF-String? (xxx = Notebook-IP)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk,

    i have a XG115w with SFOS 20 MR2 with the same Wifi Setup and Firewall Rules.
    The XG115w works fine.

    APX is controlled by XG125
    APX is Seperate Zone (Wifi)

    I capture a Laptop in my home Office and i have a capture filter in wireshark, i can see that the client is talking over 500/4500 with the VPN Server.

    But at the XG125 with APX as a WiFi AP, the client doesn´t get any response from the VPN Server. Wireshark show only the traffic from the client laptop, but no response from the APX 320 traffic.

    The client have normal internet (most of the time), but the don´t have VPN (500/4500), XG125 drops all traffic to the client.

    Sri has done the capture and saw the same problem, but has no idea.

  • 0 in reply to juergenb52

    Hi,

    Thank you for sharing the case, as per an update, a scheduled call will have been requested from your side.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Why does the  XG125 get´s this log entries in IPSec (charon.log)?
    There are a mass of entries.

    2024-09-09 10:35:56
VPNmessageid="18050" log_type="Event" log_component="IPSec" log_subtype="System" status="Deny" user=""
con_name="" con_type="0" src_ip="" gw_ip="" local_network="" dst_ip="" remote_network=""
additional_information="" message="Received IKE message with invalid SPI (9FC31E20) from the remote gateway."

Reply
  • 0 in reply to Erick Jan

    Why does the  XG125 get´s this log entries in IPSec (charon.log)?
    There are a mass of entries.

    2024-09-09 10:35:56
VPNmessageid="18050" log_type="Event" log_component="IPSec" log_subtype="System" status="Deny" user=""
con_name="" con_type="0" src_ip="" gw_ip="" local_network="" dst_ip="" remote_network=""
additional_information="" message="Received IKE message with invalid SPI (9FC31E20) from the remote gateway."

Children
Unfiltered HTML