This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec tunnel connects but fails to pass traffic

We have 5 Sophos UTM devices deployed and 1 of several tunnels seems to connect but not pass any traffic. We have disabled all IPS and temporarily added firewall rules to allow traffic, including checking ICMP settings on the affected firewalls. The settings on the remote gateways, tunnels, etc, are all identical to fully functioning tunnels. 

We recently noticed this problem after the second to last firmware update (9.703-2), but we are unsure if it occurred prior to that as one of the problem firewalls was offline for several months prior to seeing this issue. Other ipsec tunnels from the same firewalls do not show the same issues. We have checked the ipsec logs and see no useful information. 

Has anyone else seen this behavior or have suggestions? 

This thread was automatically locked due to age.
  • So unfortunately this issue resurfaced. We are unable to troubleshoot this week as we are sorting out an issue with an ISP uplink, but as soon as that is rectified (soon hopefully) we will resume testing on this. Our first step will probably be to get the latest update package (9.704). Next we will likely run the trouble shooting mentioned in above posts. Hopefully will have more info in less than a week.

  • DPD can be set in site-to-site "Advanced".  Do you use "Nat-Traversal" on both sides and what about compression?

  • DPD is enabled on both sides. NAT-travs is not enabled on either side, and we've never had it enabled and have other tunnels up. Compression is not being used. 

    I will have to break out wireshark/packet captures tomorrow and dig a little deeper, it seems to be just this one tunnel that is having the issues. 

  • Are your utms behind a modem or router? Otherwise nat-traversal is bad. Wireshark will not help you. You must activate Log everything on both tunnel sides and analyze the logfile. Site-to-side vpn debug. Let it run for 6 or eight hours. Get the logfile. Look for asynchronos network or invalid key entries on both sides. Or ssh on the utms tcpdump -vv (ipsec interface).

    UTM will never be able to do IKEV2 thats very bad.


    Good Luck


    Greetings Peter


  • I wanted to help and did not want to critizies anything. 



    Godd Bye.

Reply Children
No Data