This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with UTM 9 connection to Azure

Hi All,

We have UTM 9 and firmware version is 9.603-1.  We have established a VPN connection to Azure. We have already one other connection to our branch We could not find the reason but it starts to give duplicate message problems and then the connection is dropping with Azure.   It happend every 2-4 days. 

2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to 168.63.44.99:500

2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) 2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to *:500

If vpn is working , there is no error message and everthing is working fine.

We are using policy based routing and we have tried to connect with Route based policy with Azure we could not connect the Azure. Microsoft says that, Route based policies are much stable compared to policay based route.

Can somebody suggest some resolution for this ? Thanks in advance.

Sedat EU 



This thread was automatically locked due to age.
Parents
  • Hi Sedat and welcome to the UTM Community!

    Is the UTM behind a NAT?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Nope sophos is connecting directly to internet and the other side is Azure Virtual network gateway and policy based connection.

    Thanks

  • This could work.

    Just to be sure, i talked about this in context XG in this Thread.

    https://community.sophos.com/products/xg-firewall/f/vpn/113212/anyone-has-experience-on-vpn-ipsec-site-to-site-beetwen-xg-17-x-and-azure/405616

    Maybe this KBA needs a Update: https://community.sophos.com/kb/en-us/126995

     Could you take a look? 

    __________________________________________________________________________________________________________________

  • HI All,

    Thanks for your all support. I want to say some important things as I think.

    1. The connection establishes and works for at least 2 days without problems. Minimum 3 days up to now. So key exchanges are working properly, maksimum 27000 seconds as you can see configuration screenshot

    2. Route based VPN is not supported by UTM as far as I know. It is not written in any official document, Actually ı could nıt find for reverse but we tried there was no log about error; UTM says it is going to connection after some trials like 20 as I guess it leaves the connection but there is no real explanation in which stage the the problem is.

    3. UTM is not listed in Microsoft supported VPN device list

    Sophos is very responsive, they are also taking care of case. Meanwhile Any support is welcome and thanks again

    Regards

    Sedat

  • Lets take a step back.

    UTM does not support Route based VPN "on UTM site".

    Route based VPN and Policy Based VPN are techniques to route your VPN on your device. It has literally no impact on the other site of the VPN tunnel. 

    SO basically you could connect a Route based VPN gateway to a UTM (Policy Based) and it perfectly work. 

    It is important to understand, that the IPsec SAs has to build up, and the traffic will be routed. 

     

    Azure now, has some kind of limitation. 

    So basically if you want to use the Route Based VPN in Azure, you have to use IKEv2, which is not supported by UTM. So you have to use the Policy based VPN method on Azure site to build up a tunnel, because policy based supports IKEv1. 

     

    Route based VPN does not have only Advantages. You would create Interface for each Tunnel. 

    Take a look at the bigger deployments of Route based VPNs with X.000 Tunnels. 

    __________________________________________________________________________________________________________________

  • Lucar you did very good help again. I see you are very active in everywherw.

    I did not want to say UTM does not support route baded vpn. I told in limitation about my case which I am trying to connect sophos and azure with basic vpn functionality.

    I eill search for x.000 tunnels , ı havrnt used for many years.

Reply
  • Lucar you did very good help again. I see you are very active in everywherw.

    I did not want to say UTM does not support route baded vpn. I told in limitation about my case which I am trying to connect sophos and azure with basic vpn functionality.

    I eill search for x.000 tunnels , ı havrnt used for many years.

Children
No Data