Hello,
We recently upgraded our firewall appliances (4 units @ 2 HA stacks) from XG330 units to XGS3300 units. With the XGS units we were able to use an Ubiquiti EdgeSwitch to split the single handoffs (two total at each location - one for each service) from the ISP for both the WAN connection and the EPL connection (direct connection between the two locations). This worked perfectly fine with the XG330 units and was very reliable and stable and is currently working for the WAN connection. However, after having upgraded to the XGS3300 units, the IPSec VPN (uses the EPL connection) will establish between the two locations, but the dropped packets are horrible and ultimately result in the firewalls "terminating" the connection forcing a manual reconnect/reinitiate of the connection. I worked with Sophos Support for several hours on the issue and they stated it was a rekey overlap and had to do with the number of DH groups. So, we dropped that back down to four instead of six (tried one even). This did not change anything. We tried recreating profiles, using stock profiles, and everything Sophos Support could throw at it in regard to IPSec profile settings to no avail. I ultimately had to remove the edge devices and go directly to the primary firewall at each location. This works for the interim, but we are now no longer automatically HA (have to manually move WAN/EPL cables from the primary to auxiliary and back again) and cannot perform any system updates until HA is re-established.
Sophos Support was unable to assist in any potential edge switch configurations since it was not a Sophos device. We have since acquired a CS1010-8FP unit to test at the edge. However, upon initial configuration and edge placement, I cannot get the firewalls to establish the IPSec VPN through the Sophos switch. Before I reach out to support and schedule an onsite day to further troubleshoot the issues, I thought I would give it a whirl on here to see what else can be done from my side as I am all out of ideas.
Ideally, I would like to get the current Ubiquiti EdgeSwitch to work, but I would settle for the Sophos just so that HA can be re-established. Considering that method, what settings do I need to change on the Sophos switch to dumb it down to treat blocks of ports basically as a hub to split the ISP handoffs to both firewalls in the HA stack? On the Ubiquiti all services (CDP, STP, Flow Control, Port Isolation, LACP, etc.) were disabled, and three ports were assigned an untagged vlan (not used anywhere else) and other vlans excluded/blocked and this worked. It's always been pretty easy to split a handoff, but these XGS3300 units are not digging it for IPSec. Does anything potentially need changed on the firewall interface(s)? Any advice would be greatly appreciated.
IPSec Profiles: Head office (IKEv2) and Branch office (IKEv2) - both cloned and DH group dropped to four selections instead of the default six
XG330: SFOS v20 MR2
XGS3300: SFOS v21 GA
Thank you,
James
This thread was automatically locked due to age.
