We have 5 Sophos UTM devices deployed and 1 of several tunnels seems to connect but not pass any traffic. We have disabled all IPS and temporarily added firewall rules to allow traffic, including checking ICMP settings on the affected firewalls. The settings on the remote gateways, tunnels, etc, are all identical to fully functioning tunnels.
We recently noticed this problem after the second to last firmware update (9.703-2), but we are unsure if it occurred prior to that as one of the problem firewalls was offline for several months prior to seeing this issue. Other ipsec tunnels from the same firewalls do not show the same issues. We have checked the ipsec logs and see no useful information.
Has anyone else seen this behavior or have suggestions?
Thank you for contacting the Sophos Community.
We would need to find if the tunnel is getting to and passing in the IPsec tunnel.
Please check this KB so you can identify the tunnel object and then do a espdump.
Every once in awhile, an Up2Date will damage something in a configuration. I would replace the IPsec Connections and Remote Gateways for the "broken" tunnel. Any luck with that?
Cheers - Bob
Thanks for the answers. We initially "rebuilt" both of the connections/gateways as one of our earlier troubleshooting steps, to no avail.
The next day (when we posted this) - we applied updates to the remaining firewalls so all of them were on the same version. This initially didn't appear to work, but sometime overnight began working and hasn't stopped working since. We are still unsure as to the exact root cause, but it sure seems like the update was the driving force, though we can't "prove" it.
Again, thank you for your suggestions.
So unfortunately this issue resurfaced. We are unable to troubleshoot this week as we are sorting out an issue with an ISP uplink, but as soon as that is rectified (soon hopefully) we will resume testing on this. Our first step will probably be to get the latest update package (9.704). Next we will likely run the trouble shooting mentioned in above posts. Hopefully will have more info in less than a week.
Have you tried to change the security ciphers in phase 1 or 2? Is the tunnel running in strict mode? Often in case of trouble Phase 2 could cause problems in key exchange. Is DPD running?
We have not modified the security ciphers in either phase as we use the identical (old) settings on other tunnels on the same OS and comparable hardware. DPD is not something I'm familiar with. Strict mode is not enabled.
DPD recognizes a PEER thats not working and tries to rebuild it. What says the log file ? Is there something to see like "invalidkey esp@XYZ(number of the critical connection)" ? On both sides to be looked at.
Where is the DPD setting located? Nothing useful/pertinent in the logs, still.
DPD can be set in site-to-site "Advanced". Do you use "Nat-Traversal" on both sides and what about compression?
DPD must be set on both sides.