Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

VPN with Drayteks constant disconnects

Hi,

I have a bunch of XGS firewalls in main offices of my customers, which have branch/remote offices with Draytek routers, different models. I have not paid attention till now, when one of those reported intermittent issues with Site2Site IPSec VPN. I looked in IPSec logs on few XGS firewalls, and I can see all tunnels have frequent disconnects/reconnects, like can be seen below.

I have IKE key times slightly differently set on both sides, say 28800 on one side and 30000 on the other. Could this be an issue?

Weird fact: out of 8 branch offices, all VPN settings are the same, same Drayteks....but only 2 of 8 constantly terminate, the rest maybe once per day.

Any idea where to start resolving?

Time Log comp Status Message
16.09.2024 11:56 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 11:42 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 11:22 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 11:06 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 10:32 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 10:32 IPSec  Deny Received IKE message with invalid SPI (37D3016A) from the remote gateway.
16.09.2024 10:32 IPSec  Deny Received IKE message with invalid SPI (37D3016A) from the remote gateway.
16.09.2024 10:31 IPSec  Deny Received IKE message with invalid SPI (37D3016A) from the remote gateway.
16.09.2024 10:31 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 10:31 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 10:31 IPSec  Failed VPN_OFFICE-1 - IKE message (20003720) retransmission to 11.22.59.88 timed out. Check if the remote gateway is reachable. (Remote: 11.22.59.88)
16.09.2024 10:31 IPSec  Failed VPN_OFFICE-1 - IKE message (20003720) retransmission to 11.22.59.88 timed out. Check if the remote gateway is reachable. (Remote: 11.22.59.88)
16.09.2024 10:14 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 09:50 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 09:37 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 09:13 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 09:00 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 08:39 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 08:23 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 08:02 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 07:49 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 07:24 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 07:12 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 06:47 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 06:34 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 05:57 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 05:57 IPSec  Deny Received IKE message with invalid SPI (E759F7AD) from the remote gateway.
16.09.2024 05:57 IPSec  Deny Received IKE message with invalid SPI (E759F7AD) from the remote gateway.
16.09.2024 05:56 IPSec  Deny Received IKE message with invalid SPI (E759F7AD) from the remote gateway.
16.09.2024 05:56 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 05:56 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 05:56 IPSec  Failed VPN_OFFICE-1 - IKE message (2C50) retransmission to 11.22.59.88 timed out. Check if the remote gateway is reachable. (Remote: 11.22.59.88)
16.09.2024 05:56 IPSec  Failed VPN_OFFICE-1 - IKE message (2C50) retransmission to 11.22.59.88 timed out. Check if the remote gateway is reachable. (Remote: 11.22.59.88)


Edited TAGs
[edited by: Erick Jan at 10:43 AM (GMT -7) on 16 Sep 2024]
Parents
  • Hi Andrej,

    Thank you for reaching out to Sophos Community.

    Kindly check the following similar post 

    community.sophos.com/.../site-to-site-vpn-problem-invalid-spi

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi again,

    two days later still weird problems on VPN.

    The packets dropping was an issue on XGS, it was port failure, and we replaced whole unit with new XGS.

    Now the issue with IPSec VPN tunnels remains:

    • Some of Site2Site IPSec VPN tunnels keep disconnecting and connecting every 1-2 minutes, while other tunnels are rock stable, not even one single disconnect. All are configured the same.
    • Another problem is one server within LAN, which dials out OpenVPN tunnel by itself. It also keeps dropping every now and then. And I can see a ton of these errors in IPSec Logs. I have no idea what VPN this relates to...is it one of VPN tunels configured on Sophos, or is it the one, which only traverses it?
      messageid="18050" log_type="Event" log_component="IPSec" log_subtype="System" status="Deny" user="" con_name="" con_type="0" src_ip="" gw_ip="" local_network="" dst_ip="" remote_network="" additional_information="" message="Received IKE message with invalid SPI (CC85BCAE) from the remote gateway." 
      What could this be caused by?
  • Hi  ,

    Around this time of the log, could you get the /log/charon.log and see if there is any disconnect being initiated by either SFOS or Draytek and what is the possible reason for disconnect?

    16.09.2024 11:56 IPSec  Terminated

    VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)

    Take any one tunnel that is experiencing frequent disconnects, and correlate the logs on Draytek and SFOS around the disconnect time; 

    Regarding timers: if you set the IPsec tunnel on Draytek as Initiator (assuming each of Dratek are Initiators aka Branches), keep the tunnel as 'Responder' (Head office) on SFOS; on Draytek use less value for Phase1 and Phase2 values in comparison with the Phase1 and Phase2 values of SFOS. This will ensure each IKE level rekey is always done by Draytek and collision of IKE rekey by Draytek and SFOS is avoided, that would cause tunnel instability/disconnects.

    OpenVPN and the log you mentioned "Received IKE message with invalid SPI" are two different things and unrelated. 

    You may ignore - "Received IKE message with invalid SPI" message, in case if some unknown sender tries to initiate IKE session to your SFOS and if there is no relevant config present on your SFOS, then such incoming packets are considered as invalid and gets dropped.

Reply
  • Hi  ,

    Around this time of the log, could you get the /log/charon.log and see if there is any disconnect being initiated by either SFOS or Draytek and what is the possible reason for disconnect?

    16.09.2024 11:56 IPSec  Terminated

    VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)

    Take any one tunnel that is experiencing frequent disconnects, and correlate the logs on Draytek and SFOS around the disconnect time; 

    Regarding timers: if you set the IPsec tunnel on Draytek as Initiator (assuming each of Dratek are Initiators aka Branches), keep the tunnel as 'Responder' (Head office) on SFOS; on Draytek use less value for Phase1 and Phase2 values in comparison with the Phase1 and Phase2 values of SFOS. This will ensure each IKE level rekey is always done by Draytek and collision of IKE rekey by Draytek and SFOS is avoided, that would cause tunnel instability/disconnects.

    OpenVPN and the log you mentioned "Received IKE message with invalid SPI" are two different things and unrelated. 

    You may ignore - "Received IKE message with invalid SPI" message, in case if some unknown sender tries to initiate IKE session to your SFOS and if there is no relevant config present on your SFOS, then such incoming packets are considered as invalid and gets dropped.

Children