Working IPsec site to site VPN won't restart after reboot

I should add there's no problem going the other way, i.e. when Sonicwall end goes down and restarts the tunnel gets re-established no problem

Salut Jean,

I assume that the Sophos side is set to respond only?

BAlfson, didn‘t you say that both ends could be set to „initiate connection“?

I would try that first.

Hi Philipp, thanks for the reply. I don't see a way to set Sophos end to "respond only", or, for that matter, to initiate. I only see option to set initiate/respond for remote site - in my case a sonicwall that is set to initiate.

Here's a screenshot of the Sophos connection config tab, and two below is Sophos Remote Gateway tab, where I could have chosen "Respond Only" but chose "Initiate Connection" 

Salut Jean,

once defined, you cannot change the behaviour of the remote GW object from "initiate connection" to "respond only". You have to recreate it or define another object and then associate this with your connection.

I haven't changed anything with respect to who initiates and who responds because everything works fine until I reboot the Sophos. Then the VPN will not restart. Upon restart the Sophos should just respond to the other end's request, which I can see happens repeatedly but it doesn't. 

It stops at "lyneutm pluto[5866]: "S_JT VPN": we have no ipsecN interface for either end of this connection"

It seems like a bug to me but first seeing if anyone else has encountered this, and/or if there's another setting I'm not seeing that I have to turn on or off.

Something is definitely broken here. Try to create a new connection object with a different name AND a new Gateway object with a new name, too. Then delete the old entries after that. Is it working now?

Hi Jean and welcome to the UTM Community!

Are DPD and NAT-T enabled in both devices?  If that didn't fix this, please show us more of the log.

1. Confirm that Debug is not enabled.
2. Disable the IPsec Connection.
3. Start the IPsec Live Log and wait for it to begin to populate.
4. Enable the IPsec Connection.
5. Copy here about 60 lines from enabling through the error.

Cheers - Bob

Thanks. Just to be clear the problem is ONLY at reboot of the Sophos. Otherwise everything works fine, including any lose of connectivity at either end (or a sonicwall reboot). The tunnel always comes back up EXCEPT when I restart the sophos. I've not had a chance to restart building it from scratch to see if that fixes it but I may have a chance to reboot tomorrow. II don't think there are many more log entries to see. I'll provide what both the "view log" and "live log" shows. I'll even force a restart at the sonicwall end while I'm running live log.  Someone from spiceworks community said this problem was reported 5 years ago in 9.4.

In the meantime, I'll confirm that, yes, dead peer detection and NAT Traversal are on, and no, debug is not.

So this morning everything worked fine after reboot. The VPN tunnel came back up by itself. I must have done something to it over past several days. I did spend quite a bit of time setting up IPsec in "Remote Access" tab thinking I could maybe get in that way if there was a Sophos reboot and the "Site to Site" VPN was down. I wasn't able to get that going but I noticed some stuff was common to both ways of setting up IPsec VPN (which gave me grief on the sonicwall side) so maybe something I did setting that up fixed things,

Thanks for your replies and offers of help.

I will ask something else. I tried to get support support on this so I setup a Sophos ID at support.sophos.com but it refuses to let me login. Phone support sent me to Sophos Home, which is for the Windows/Mac software version, not the ASG appliance version I have. 

I realize I have the free home edition so am not expecting miracles but I thought I read somewhere that there is support for it. Is support only through self help and this community, or is there an option to report something to the technical support folks and there's just a problem with the account I created?

Any info would be appreciated.

Thanks again

Correctomundo, Jean - just here in the Community.  There are Sophos folks that participate here, too.

If you click on 'Management' in WebAdmin, you can see when you were logged in and what changes you made.  It would be interesting to see your related changes.

Cheers - Bob

thanks. I made sooo many changes for many things I don't really want to go through them to figure out which one tipped the scale. thanks for your replies.

thanks. I made sooo many changes for many things I don't really want to go through them to figure out which one tipped the scale. thanks for your replies.