We have 5 Sophos UTM devices deployed and 1 of several tunnels seems to connect but not pass any traffic. We have disabled all IPS and temporarily added firewall rules to allow traffic, including checking ICMP settings on the affected firewalls. The settings on the remote gateways, tunnels, etc, are all identical to fully functioning tunnels.
We recently noticed this problem after the second to last firmware update (9.703-2), but we are unsure if it occurred prior to that as one of the problem firewalls was offline for several months prior to seeing this issue. Other ipsec tunnels from the same firewalls do not show the same issues. We have checked the ipsec logs and see no useful information.
Has anyone else seen this behavior or have suggestions?
So unfortunately this issue resurfaced. We are unable to troubleshoot this week as we are sorting out an issue with an ISP uplink, but as soon as that is rectified (soon hopefully) we will resume testing on this. Our first step will probably be to get the latest update package (9.704). Next we will likely run the trouble shooting mentioned in above posts. Hopefully will have more info in less than a week.
Have you tried to change the security ciphers in phase 1 or 2? Is the tunnel running in strict mode? Often in case of trouble Phase 2 could cause problems in key exchange. Is DPD running?
We have not modified the security ciphers in either phase as we use the identical (old) settings on other tunnels on the same OS and comparable hardware. DPD is not something I'm familiar with. Strict mode is not enabled.
DPD recognizes a PEER thats not working and tries to rebuild it. What says the log file ? Is there something to see like "invalidkey esp@XYZ(number of the critical connection)" ? On both sides to be looked at.
Where is the DPD setting located? Nothing useful/pertinent in the logs, still.
DPD must be set on both sides.
Again, other tunnels with identical settings work. It's specific to one of these firewalls that's throwing us the issue of not passing traffic despite having an established tunnel. We understand and know how to get a basic IPSec tunnel up.