Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 5290 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC tunnel issue

Cernitu Andrei

Hello Sophos Community,

 

I have one IPsec tunnel established with one of our client, the tunnel is up, ACL is up(have configured multiple hosts that can be access on client side). The issues is that when we initiate connection from our side internal VM ip to one host from client network the connection is working 30 min, 1hour (no specific interval of time) and then the connection suddenly stops. I capture tcp dump on our sophos sg450 (UTM 9 )firewall and in that tcpdump i see only "in" packets but no "out packets" (attached printscreen). i tried to do a SNAT from our side, the same issue(only with one host from customer side i have this issue). So sometimes the connection is working again by itself and sometimes i need to manually reset the tunnel.

Also need to mention behind this firewall, i have another firewall configured and also on that i can see only in packets but no out packets(the policy on this firewall is allowed with any port and on sophos the firewall is set on Auto for traffic through IPsec tunnel).

 

Do you have any sugestion for this issue?Also i can mention that on that USG i have over 40 tunnels up and this is the only tunnel with this kind of issue.

 



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Andrei and welcome to the UT Community!

    Is this a question about Sophos UTM?  If so, please show pictures of the Edits of the IPsec Policy on each side of the Tunnel.

    Cheers - Bob

    PS Moving this thread to the VPN forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello,

    I can only share the configuration from my side, because the other side is on the customer network i do not have access there.

    Phase 1 and Phase 2

    Gateway to customer network. I cannot share the IP's 

    Our Internal IP is NAT to one public ip. Also tried without Nat and same issue.

    Thank you!

  • 0 in reply to Cernitu Andrei

    first check that the IKE and IPSec lifetimes are exactly the same on both sides of the connection. And when you are busy checking both sides, also check for the other IKE and IPSec settings (they should also match on both sides)

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hello,

     

    Already checked this with customer and both sides have the same phase 1 and phase 2 config. Also as i mentioned i only have this issue with one ip from client network, the rest are working fine(there are about 23 hosts that we access from our VM to customer private network).

  • 0 in reply to Cernitu Andrei

    We don't work very well with hearsay, Andrei.  We need pictures of the Policy on the other side.  Do both sides have DPD and NAT-T selected?  What setting does the other side have for Anti-Replay?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello all and sorry for the late response. I manage to fix the problem and was a source nat issue on our side after i checked deeply all configuration of the IPsec tunnel.

     

    Thank you for the support!

Reply Children
No Data
Unfiltered HTML