Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

VPN IPsec tunnel routing issue

Hello everyone,

I have issue with routing over VPN IPsec tunnel. In my setup there are two Sophos XGS116 firewalls running SFOS 20.0.2 MR-2-Build378 located on HQ site and BO site. Each site has stabile ISP connection with static IPv4 address. VPN IPsec tunnel is configured between HQ site (respond only) and BO site (initiator). VPN tunnels are configured to route by using VTI and static routes. After initial setup VPN IPsec tunnel established connection successfully and everything looks good and works fine, endpoint computers on remote networks were able to communicate. It worked for some time, week or two, and then routing stopped. Ipsec tunnel was connected and there were no ipsec errors in VPN log. I have checked routing tables in firewall's advanced shell and it was ok. I noticed in firewall live log that traffic from source site is going over IPsec tunnel and I noticed  in destination firewall live log that traffic is received and passed to destination computer but ping response is not received on source computer. 

My workaround for the issue is to delete VPN IPsec tunnel on one or both sides and then recreate them with exactly same settings. And then same behaviour happen again, it works for several days or weeks and eventually stop working.

HQ site ipsec profile:

BO site ipsec profile:

Any idea?

Best Regards

Haris



Added TAGs
[edited by: Raphael Alganes at 12:10 PM (GMT -8) on 5 Nov 2024]