Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 1173 views
  • Users 0 members are here
Options
Suggested

No traffic through VPN tunnel

b_trahn User

Hello,

I have a problem with an ipsec Site to Site tunnel. The tunnel is being built, but no traffic is going through the tunnel. 
The remote station is connected to a router via LTE and a Dyn DNS entry.
I checked local and remote subnets. The firewall entries are also set.
Does anyone have an idea where I can start looking for the solution?

Thanks and best regards

Thomas



Added TAGs
[edited by: Erick Jan at 1:59 PM (GMT -7) on 12 Sep 2024]
  • 0

    Hello,

    Thank you for contacting Sophos Community!

    Kindly refer to the below KBA:

    community.sophos.com/.../sophos-firewall-how-to-identify-the-communication-issue-with-up-and-running-ipsec-tunnel

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Mayur Makvana

    Post verifying the tcpdump output recommended by Mayur in above KBA, if you observe packet loss happening in the Sophos firewall please post the output of

    • ifconfig ipsec0 | grep drop
    • cat /proc/net/xfrm_stat
    • Is it a XGS appliance with ipsec acceleration enabled?

    Use ping test and collect output multiple iterations to understand if counters increment or remain static.

  • 0 in reply to Srisakthi S

    Thanks a lot for your suggestions. Here is the output.

    XG230_WP02_SFOS 19.5.4 MR-4-Build718 HA-Primary# tcpdump -ni any host 22c9230e.dynamic-dns.net

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

    10:24:41.231214 Port2, IN: IP 80.187.117.209.8662 > 217.7.105.106.4500: NONESP-encap: isakmp: child_sa  inf2

    10:24:41.231506 Port2, OUT: IP 217.7.105.106.4500 > 80.187.117.209.8662: NONESP-encap: isakmp: child_sa  inf2[IR]

    10:25:01.231397 Port2, IN: IP 80.187.117.209.8662 > 217.7.105.106.4500: NONESP-encap: isakmp: child_sa  inf2

    10:25:01.231663 Port2, OUT: IP 217.7.105.106.4500 > 80.187.117.209.8662: NONESP-encap: isakmp: child_sa  inf2[IR]

    10:25:19.227073 Port4, OUT: IP 94.134.205.130 > 80.187.117.209: ICMP echo request, id 58492, seq 0, length 64

    10:25:20.227142 Port4, OUT: IP 94.134.205.130 > 80.187.117.209: ICMP echo request, id 58492, seq 1, length 64

    10:25:21.227221 Port4, OUT: IP 94.134.205.130 > 80.187.117.209: ICMP echo request, id 58492, seq 2, length 64

    10:25:21.231124 Port2, IN: IP 80.187.117.209.8662 > 217.7.105.106.4500: NONESP-encap: isakmp: child_sa  inf2

    10:25:21.231359 Port2, OUT: IP 217.7.105.106.4500 > 80.187.117.209.8662: NONESP-encap: isakmp: child_sa  inf2[IR]

    10:25:22.227279 Port4, OUT: IP 94.134.205.130 > 80.187.117.209: ICMP echo request, id 58492, seq 3, length 64

    10:25:41.232089 Port2, IN: IP 80.187.117.209.8662 > 217.7.105.106.4500: NONESP-encap: isakmp: child_sa  inf2

    10:25:41.232396 Port2, OUT: IP 217.7.105.106.4500 > 80.187.117.209.8662: NONESP-encap: isakmp: child_sa  inf2[IR]

    10:26:01.232057 Port2, IN: IP 80.187.117.209.8662 > 217.7.105.106.4500: NONESP-encap: isakmp: child_sa  inf2

    10:26:01.232373 Port2, OUT: IP 217.7.105.106.4500 > 80.187.117.209.8662: NONESP-encap: isakmp: child_sa  inf2[IR]

    10:26:21.232021 Port2, IN: IP 80.187.117.209.8662 > 217.7.105.106.4500: NONESP-encap: isakmp: child_sa  inf2

    10:26:21.232338 Port2, OUT: IP 217.7.105.106.4500 > 80.187.117.209.8662: NONESP-encap: isakmp: child_sa  inf2[IR]

    10:26:41.232723 Port2, IN: IP 80.187.117.209.8662 > 217.7.105.106.4500: NONESP-encap: isakmp: child_sa  inf2

    10:26:41.232992 Port2, OUT: IP 217.7.105.106.4500 > 80.187.117.209.8662: NONESP-encap: isakmp: child_sa  inf2[IR]

    18 packets captured

    224 packets received by filter

    198 packets dropped by kernel

     

    XG230_WP02_SFOS 19.5.4 MR-4-Build718 HA-Primary#  ifconfig ipsec0 | grep drop

              RX packets:0 errors:0 dropped:0 overruns:0 frame:0

              TX packets:0 errors:0 dropped:5321601 overruns:0 carrier:0

     

    XG230_WP02_SFOS 19.5.4 MR-4-Build718 HA-Primary# cat /proc/net/xfrm_stat

    XfrmInError                     0

    XfrmInBufferError               0

    XfrmInHdrError                  0

    XfrmInNoStates                  211945

    XfrmInStateProtoError           0

    XfrmInStateModeError            0

    XfrmInStateSeqError             5351

    XfrmInStateExpired              0

    XfrmInStateMismatch             0

    XfrmInStateInvalid              8

    XfrmInTmplMismatch              384

    XfrmInNoPols                    8

    XfrmInPolBlock                  0

    XfrmInPolError                  0

    XfrmOutError                    0

    XfrmOutBundleGenError           0

    XfrmOutBundleCheckError         0

    XfrmOutNoStates                 45306

    XfrmOutStateProtoError          0

    XfrmOutStateModeError           1730962

    XfrmOutStateSeqError            0

    XfrmOutStateExpired             0

    XfrmOutPolBlock                 33

    XfrmOutPolDead                  0

    XfrmOutPolError                 0

    XfrmFwdHdrError                 0

    XfrmOutStateInvalid             10

    XfrmAcquireError                22917

  • 0 in reply to b_trahn User

    Which version do you run?
    There was a change within IKEv2 packets ... resulting in such problems.
    Compare NC-136352
    https://docs.sophos.com/support/kil/index.html

    This change results in our environments multiple times in "established tunnel" but without traffic.
    One time, 2 current XGS run into this problem, because there was a ASA in front of one of the firewalls. Seems this ASA didn't understand the IKE any more and IPsec-inspection fails..
    We needed an ANY-Rule between the both XGS-Hosts.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk, thanks for your answer. My environment contains a XG230 and a SonicWall TZ370 on customer site.
    Best regards
    Thomas

  • 0 in reply to b_trahn User

    Can you provide the SFOS version details running in XG230. tcpdump suggests child SA negotiation happening continuously. Is the tunnel stable?

Unfiltered HTML