We have an IPSec Site-to-site VPN that is supposed to connect our site with a couple servers hosted on Microsoft Azure.
This worked fine for around 2 years, but since May, every day between 10:30 and 11AM the connection breaks and does not seem to re-establish on its own. (At least not within 3 hours). Turning it off and then immediately on again fixes the issue and brings back the connection.
What we've tried:
- Installed all Sophos updates
- Increased DPD timeout in Azure portal to match the Sophos default of 180 seconds
Any idea what could be the issue here? How do I troubleshoot this?
Logs:
2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #32: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #29 {using isakmp#1} 2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #32: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME 2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #32: sent QI2, IPsec SA established {ESP=>0x2a75a17f <0xef594347 DPD} 2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa0ac2bcb) not found (our SPI - bogus implementation) 2024:05:22-10:12:58 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #1: received Delete SA(0x066c35f1) payload: deleting IPSEC State #29 2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #31 {using isakmp#2} 2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag 2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: sent QI2, IPsec SA established {ESP=>0xd2fd6308 <0xe0353ba3 DPD} 2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag 2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH) 2024:05:22-10:28:48 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #33: sending encrypted notification INVALID_PAYLOAD_TYPE to 20.73.154.78:500 2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #30 {using isakmp#2} 2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag 2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: sent QI2, IPsec SA established {ESP=>0xc0fc7e68 <0x11632f2c DPD} 2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag 2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH) 2024:05:22-10:33:20 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #34: sending encrypted notification INVALID_PAYLOAD_TYPE to 20.73.154.78:500 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #2: received Delete SA payload: deleting ISAKMP State #2 2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001] 2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009] 2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: received Vendor ID payload [RFC 3947] 2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [FRAGMENTATION] 2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] 2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [Vid-Initial-Contact] 2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: ignoring Vendor ID payload [IKE CGA version 1] 2024:05:22-10:36:24 fw01 pluto[11729]: packet from 20.73.154.78:500: received Vendor ID payload [Dead Peer Detection] 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: responding to Main Mode 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: NAT-Traversal: Result using RFC 3947: no NAT detected 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: Peer ID is ID_IPV4_ADDR: '20.73.154.78' 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: Dead Peer Detection (RFC 3706) enabled 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #35: sent MR3, ISAKMP SA established 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #36: responding to Quick Mode 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_1" #36: IPsec SA established {ESP=>0xaa15ef98 <0x45716193 DPD} 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #37: responding to Quick Mode 2024:05:22-10:36:24 fw01 pluto[11729]: "S_REF_IpsSitAzure10300_0" #37: IPsec SA established {ESP=>0x7eb7ae4a <0x4fd65e6a DPD} 2024:05:22-10:39:55 fw01 pluto[11729]: packet from 20.73.154.78:500: Informational Exchange is for an unknown (expired?) SA 2024:05:22-10:43:32 fw01 pluto[11729]: packet from 20.73.154.78:500: Informational Exchange is for an unknown (expired?) SA 2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: initiating Main Mode to replace #1 2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: received Vendor ID payload [XAUTH] 2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: received Vendor ID payload [Dead Peer Detection] 2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: ignoring Vendor ID payload [bfc22e9856ba993611c11e48a6d20807a95bedb393026a49e60fac327bb9601b...] 2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: Peer ID is ID_IPV4_ADDR: '83.246.110.130' 2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: Dead Peer Detection (RFC 3706) enabled 2024:05:22-10:44:30 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: ISAKMP SA established 2024:05:22-10:44:34 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: discarding duplicate packet; already STATE_MAIN_I4 2024:05:22-10:44:37 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: discarding duplicate packet; already STATE_MAIN_I4 2024:05:22-10:44:42 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: discarding duplicate packet; already STATE_MAIN_I4 2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #39: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #32 {using isakmp#38} 2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #39: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME 2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #39: sent QI2, IPsec SA established {ESP=>0x49da6cf1 <0x377a133c DPD} 2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xef594347) not found (our SPI - bogus implementation) 2024:05:22-10:56:19 fw01 pluto[11729]: "S_REF_IpsSitTk_0" #38: received Delete SA(0x2a75a17f) payload: deleting IPSEC State #32
This thread was automatically locked due to age.