Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipsec sophos utm sophos xgs

Wir haben/hatten folgendes Problem:

2023:07:03-09:56:28 login-sp pluto[7264]: "S_Speyer-SPBZ-Koblenz"[4] xxx.xxx.xxx.xxx:4500 #203026: ignoring informational payload, type PAYLOAD_MALFORMED

bei IPSEC zwischen Sophos UTM und XGS. Diese Meldungen kamen xfach. Auf den XGSen  und den UTMS habe ich auf der Firewall pmtu ein-ausgehend erlaubt. Kein Erfolg. Erst als ich die MTU Option bein den IPSEC Gateways (UTM) angehackt habe, ist das erheblich besser geworden. Bei der XGS habe ich keine korrespndierende Einstellung gefunden. Zwei Geräte zicken nach wie vor rum mit endlosen Versuchen. Hat noch jemand eine Idee?

with IPSEC between Sophos UTM and XGS. These messages came x-fold. On the XGS and the UTMS I have allowed pmtu inbound and outbound
on the firewall. No success. Only when I ticked the MTU option for the IPSEC gateways (UTM) did it get significantly better.
I couldn't find a corresponding setting on the XGS. Two devices are still bitching around with endless attempts. Does anyone else
have an idea?

Greetings Pidae


This thread was automatically locked due to age.
Parents
  • is your log flooded with PAYLOAD_MALFORMED log?

    I had it years ago between XG and UTM IPSEC with PSK.


    there came millions of log lines

    when I changed the tunnel config for the IPSEC to the XG106 when the issue began the first time, the log is totally flooded with this:


    2020:10:15-18:01:59 fw-320-1 pluto[8732]: packet from 217.xxx.xxx.126:4500: sending notification PAYLOAD_MALFORMED to 217.xxx.xxx.126:4500
    2020:10:15-18:01:59 fw-320-1 pluto[8732]: packet from 217.xxx.xxx.126:4500: length of ISAKMP Message is smaller than minimum
    2020:10:15-18:01:59 fw-320-1 pluto[8732]: packet from 217.xxx.xxx.126:4500: sending notification PAYLOAD_MALFORMED to 217.xxx.xxx.126:4500

  • Yes so it is. The more sorrowing is that the number of rekeying attempts grew and grew. Now after turning on mtu option at UTM it looks much better. " But 2 Aplliances still have the problem. Strange.

  • can you please show who is initiator and who is responder and also share screenshots of your policies.

    Also: as you're in Germany: what's the ISP?

    I want to compare with our settings. the issue is no longer happening here.

    the only  thing that happens rarely is the connection established but "down".

  • found my old thread:  IPSec Tunnel: length of ISAKMP Message is smaller than minimum

    no solution though, but you mach check if youre in the same situation

Reply Children