Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall

Discussions XG125 with 20 MR2 blocks UDP 500/4500 after upgrade from MR1

Sophos Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 13 replies
Subscribers 39 subscribers
Views 2630 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG125 with 20 MR2 blocks UDP 500/4500 after upgrade from MR1

juergenb52 4 months ago

Hello,

i need some help.

I have a Branch Office wiht a XG125 and SFOS 20 MR1 up and running.
Laptop connects over a APX320 AP and get a WiFi IP Address.

Laptop was able to connect through Microsoft Always ON VPN (IKEv2) with UDP 500/4500 find to the Head Office Always ON VPN Server.

After upgrading to SFOS 20 MR2, VPN is broken and Laptop claims, that UDP 500/4500 is blocked by the firewall.

If i move the laptop to my home office, all is fine and nothing is blocked.

Is there any change in MR2, that blocks VPN?

I already disabled some rule in device console with

set ips ac_atr exception fwrules 5,6

I already regreated a new WLAN, with the same problem.

I checked for dropped packages (Sophos Firewall: Monitor dropped packets using CLI).

Any idea?

Thanks

This thread was automatically locked due to age.

Top Replies

Sreenivasulu Naidu 4 months ago in reply to juergenb52 +1

Hi juergenb52 , this log in charon.log indicates a message to the logging syb-system saying that for the incoming IKE (IPsec connection) packet, either there is no config or if the config (of an existing…

0 juergenb52 4 months ago in reply to Sreenivasulu Naidu

The problem has been solved last night.

The XG125 died at 10:14 PM (Case ID 01877872).
I'm curious to see if the replacement will take as long as the XGS2100.
Cancel
Vote Up 0 Vote Down

Cancel
0 juergenb52 4 months ago in reply to juergenb52

The problem is back.

This time, the XGS2100 with SFOS 20 an GA is going south ...
VPN Traffic is not forwarded to the external Port2.

The diagnostics packet capture, that showed this error on the XG125 (rip) shows the same behavior now at the XGS2100.
Cancel
Vote Up 0 Vote Down

Cancel
0 juergenb52 3 months ago in reply to juergenb52

The ISP providers had checked the routers at HO and BO and restarted them, but the problem was still there.

Only a reboot of the XGS HA cluster in the head office put an end to the problem with this XG125 in the brach office.
Cancel
Vote Up 0 Vote Down

Cancel