This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site-to-site VPN breaks every day at around 11AM

We have an IPSec Site-to-site VPN that is supposed to connect our site with a couple servers hosted on Microsoft Azure.

This worked fine for around 2 years, but since May, every day between 10:30 and 11AM the connection breaks and does not seem to re-establish on its own. (At least not within 3 hours). Turning it off and then immediately on again fixes the issue and brings back the connection.

What we've tried:

  • Installed all Sophos updates
  • Increased DPD timeout in Azure portal to match the Sophos default of 180 seconds

Any idea what could be the issue here? How do I troubleshoot this?

Logs:

2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #32: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #29 {using isakmp#1}
2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #32: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #32: sent QI2, IPsec SA established {ESP=>0x2a75a17f <0xef594347 DPD}
2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa0ac2bcb) not found (our SPI - bogus implementation)
2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #1: received Delete SA(0x066c35f1) payload: deleting IPSEC State #29
2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #31 {using isakmp#2}
2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: sent QI2, IPsec SA established {ESP=>0xd2fd6308 <0xe0353ba3 DPD}
2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: sending encrypted notification INVALID_PAYLOAD_TYPE to 20.73.154.78:500
2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #30 {using isakmp#2}
2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: sent QI2, IPsec SA established {ESP=>0xc0fc7e68 <0x11632f2c DPD}
2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: sending encrypted notification INVALID_PAYLOAD_TYPE to 20.73.154.78:500
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #2: received Delete SA payload: deleting ISAKMP State #2
2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: received Vendor ID payload [RFC 3947]
2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [FRAGMENTATION]
2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [IKE CGA version 1]
2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: received Vendor ID payload [Dead Peer Detection]
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: responding to Main Mode
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: NAT-Traversal: Result using RFC 3947: no NAT detected
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: Peer ID is ID_IPV4_ADDR: '20.73.154.78'
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: Dead Peer Detection (RFC 3706) enabled
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: sent MR3, ISAKMP SA established
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #36: responding to Quick Mode
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #36: IPsec SA established {ESP=>0xaa15ef98 <0x45716193 DPD}
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #37: responding to Quick Mode
2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #37: IPsec SA established {ESP=>0x7eb7ae4a <0x4fd65e6a DPD}
2024:05:22-10:39:55 fw01 pluto[11729]: packet from 20.73.154.78:500: Informational Exchange is for an unknown (expired?) SA
2024:05:22-10:43:32 fw01 pluto[11729]: packet from 20.73.154.78:500: Informational Exchange is for an unknown (expired?) SA
2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: initiating Main Mode to replace #1
2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: received Vendor ID payload [XAUTH]
2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: received Vendor ID payload [Dead Peer Detection]
2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: ignoring Vendor ID payload [bfc22e9856ba993611c11e48a6d20807a95bedb393026a49e60fac327bb9601b...]
2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: Peer ID is ID_IPV4_ADDR: '83.246.110.130'
2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: Dead Peer Detection (RFC 3706) enabled
2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: ISAKMP SA established
2024:05:22-10:44:34 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: discarding duplicate packet; already STATE_MAIN_I4
2024:05:22-10:44:37 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: discarding duplicate packet; already STATE_MAIN_I4
2024:05:22-10:44:42 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: discarding duplicate packet; already STATE_MAIN_I4
2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #39: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #32 {using isakmp#38}
2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #39: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #39: sent QI2, IPsec SA established {ESP=>0x49da6cf1 <0x377a133c DPD}
2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xef594347) not found (our SPI - bogus implementation)
2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: received Delete SA(0x2a75a17f) payload: deleting IPSEC State #32



This thread was automatically locked due to age.