Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 37 subscribers
  • Views 6555 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Verbindungsabbrüche - Dienstunabhängig

Scorp1337
Hallo Community!
wir haben eine ASG120 mit Softwareversion 8.202 im hochverfügbarkeitsbetrieb (zwei ASG120er).

Eine Kollegin, die häufig Homeoffice macht, hat festgestellt das es immer wieder einen Verbindungsabbruch gibt. Allerdings lässt sich der CISCO VPN Client sofort wieder verbinden und alles geht ganz normal weiter.

...mit immer wieder meine ich nach einer relativ langen Zeit (1 - 2 Stunden), allerdings unabhängig von Wochentagen, Tages- oder Nachtzeiten. Bei meinem eigenen Privat-PC passiert das Gleiche.

Weiterhin hat ein externer Mitarbeiter (der einzige mit Jabberclient von außen) berichtet, dass sein Spark und Psi (Jabberclients) nach einer langen Zeit die Verbindung verlieren.


---> Meine Vermutung ist, dass es an der Astaro liegt.
---> Meine Frage: Gibt es eine Einstellung/Funktion in der Astaro die eine dauerhafte Verbindung nach gewisser Zeit trennt?


This thread was automatically locked due to age.
Parents
  • 0
    Inzwischen habe ich Folgendes in KIL gefunden:
    ID14692 8.000 Terminating Cisco Remote access connections after end of phase 2 lifetime
    ------------------------------------------------------------------------
    Description:
    Workaround:   Increase the lifetimes for IKE and IPsec on the ASG. Since
                  Cisco VPN uses a fixed policy you need to edit it on the
                  command line via confd-client. It's at
                  OBJS:ipsec->policy->REF_IPsecPolicyCisco. Values to be
                  increased are ike_sa_lifetime and ipsec_sa_lifetime.
                  Maximum value accepted by pluto is 86400.


    MfG -Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Inzwischen habe ich Folgendes in KIL gefunden:
    ID14692 8.000 Terminating Cisco Remote access connections after end of phase 2 lifetime
    ------------------------------------------------------------------------
    Description:
    Workaround:   Increase the lifetimes for IKE and IPsec on the ASG. Since
                  Cisco VPN uses a fixed policy you need to edit it on the
                  command line via confd-client. It's at
                  OBJS:ipsec->policy->REF_IPsecPolicyCisco. Values to be
                  increased are ike_sa_lifetime and ipsec_sa_lifetime.
                  Maximum value accepted by pluto is 86400.


    MfG -Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    Was ist ein(e) KIL? (issuetracker/docu?)

    Habe die zwei übrig gebliebenen Haken entfernt, nachdem ich deinen Screenshot gesehen habe. Hier wieder die Logs: 
    2011:10:31-11:31:38 721astaro-2 pluto[24756]: "D_REF_mzzgsRmeni_18"[5] 111.222.333.444.555:56990 #52: max number of retransmissions (2) reached STATE_QUICK_I1

    2011:10:31-11:31:44 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_19"[4] 111.222.333.444.555:56990: deleting connection "D_REF_mzzgsRmeni_19"[4] instance with peer 111.222.333.444.555 {isakmp=#0/ipsec=#0}

    2011:10:31-11:31:44 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_19"[4] 111.222.333.444.555:56990: deleting connection "D_REF_mzzgsRmeni_19"[4] instance with peer 111.222.333.444.555 {isakmp=#0/ipsec=#0}

    2011:10:31-11:31:44 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_7"[4] 666.777.888.999:2232: deleting connection "D_REF_mzzgsRmeni_7"[4] instance with peer 666.777.888.999 {isakmp=#0/ipsec=#0}

    2011:10:31-11:31:45 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_7"[4] 666.777.888.999:2232: deleting connection "D_REF_mzzgsRmeni_7"[4] instance with peer 666.777.888.999 {isakmp=#0/ipsec=#0}

    2011:10:31-11:31:59 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_19"[4] 111.222.333.444.555:56990: deleting connection "D_REF_mzzgsRmeni_19"[4] instance with peer 111.222.333.444.555 {isakmp=#0/ipsec=#0}

    2011:10:31-11:31:59 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_19"[4] 111.222.333.444.555:56990: deleting connection "D_REF_mzzgsRmeni_19"[4] instance with peer 111.222.333.444.555 {isakmp=#0/ipsec=#0}

    2011:10:31-11:31:59 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_7"[4] 666.777.888.999:2232: deleting connection "D_REF_mzzgsRmeni_7"[4] instance with peer 666.777.888.999 {isakmp=#0/ipsec=#0}

    2011:10:31-11:31:59 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_7"[4] 666.777.888.999:2232: deleting connection "D_REF_mzzgsRmeni_7"[4] instance with peer 666.777.888.999 {isakmp=#0/ipsec=#0}

    2011:10:31-11:32:14 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_19"[4] 111.222.333.444.555:56990: deleting connection "D_REF_mzzgsRmeni_19"[4] instance with peer 111.222.333.444.555 {isakmp=#0/ipsec=#0}

    2011:10:31-11:32:14 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_19"[4] 111.222.333.444.555:56990: deleting connection "D_REF_mzzgsRmeni_19"[4] instance with peer 111.222.333.444.555 {isakmp=#0/ipsec=#0}

    2011:10:31-11:32:14 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_7"[4] 666.777.888.999:2232: deleting connection "D_REF_mzzgsRmeni_7"[4] instance with peer 666.777.888.999 {isakmp=#0/ipsec=#0}

    2011:10:31-11:32:14 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_7"[4] 666.777.888.999:2232: deleting connection "D_REF_mzzgsRmeni_7"[4] instance with peer 666.777.888.999 {isakmp=#0/ipsec=#0}

    2011:10:31-11:32:29 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_19"[4] 111.222.333.444.555:56990: deleting connection "D_REF_mzzgsRmeni_19"[4] instance with peer 111.222.333.444.555 {isakmp=#0/ipsec=#0}

    2011:10:31-11:32:29 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_19"[4] 111.222.333.444.555:56990: deleting connection "D_REF_mzzgsRmeni_19"[4] instance with peer 111.222.333.444.555 {isakmp=#0/ipsec=#0}

    2011:10:31-11:32:29 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_7"[4] 666.777.888.999:2232: deleting connection "D_REF_mzzgsRmeni_7"[4] instance with peer 666.777.888.999 {isakmp=#0/ipsec=#0}

    2011:10:31-11:32:29 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_7"[4] 666.777.888.999:2232: deleting connection "D_REF_mzzgsRmeni_7"[4] instance with peer 666.777.888.999 {isakmp=#0/ipsec=#0}

    2011:10:31-11:32:38 721astaro-1 pluto[30033]: "D_REF_mzzgsRmeni_18"[5] 111.222.333.444.555:56990 #47: IPsec SA expired (LATEST!)

    2011:10:31-11:32:38 721astaro-2 pluto[24756]: "D_REF_mzzgsRmeni_18"[5] 111.222.333.444.555:56990 #47: IPsec SA expired (LATEST!)

    2011:10:31-11:32:38 721astaro-1 pluto[30033]: id="2202" severity="info" sys="SecureNet" sub="vpn" event="Connection terminated" username="C=de, L=Stadt, O=Firma, CN=max Mustermann, E=max.Mustermann@domain.de" variant="ipsec" srcip="111.222.333.444.555" virtual_ip="10.242.5.2"

    2011:10:31-11:32:38 721astaro-2 pluto[24756]: id="2202" severity="info" sys="SecureNet" sub="vpn" event="Connection terminated" username="max.Mustermann" variant="ipsec" srcip="111.222.333.444.555" virtual_ip="10.242.5.2"


    Ansonsten weiss ich ehrlich gesagt nicht ganz was ich machen soll...
    Habe zwar nach einem confd client gegoogelt, aber es schein kein Tool zu sein, welches auf meiner Windowsmaschine laufen würde... !?!?
Unfiltered HTML