Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 4 subscribers
  • Views 4811 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Working IPsec site to site VPN won't restart after reboot

Jean Thibodeau

Am running Sophos UTM ver 9.705-3 and have an IPsec site to site VPN with Sonicwall TZ300 (which is set to "initiate connection") that works well until I reboot the Sophos.

After rebooting the Sophos, I've watched the sonicwall keep retrying to reconnect for well over 5 mins with no answer back. At the sophos end, the VPN live log only shows the following entries and won't budge until I do something to the VPN, e.g. toggle on/off, change a setting, etc. then it reconnects no problem:

2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface br0/br0 192.168.2.2:500

2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface br0/br0 192.168.2.2:4500
2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface lo/lo 127.0.0.1:500
2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface lo/lo 127.0.0.1:4500
2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface lo/lo ::1:500
2021:02:20-11:58:48 lyneutm pluto[5866]: loading secrets from "/etc/ipsec.secrets"
2021:02:20-11:58:48 lyneutm pluto[5866]: loaded PSK secret for <local FQDN> < remote FQDN> 
2021:02:20-11:58:48 lyneutm pluto[5866]: listening for IKE messages
2021:02:20-11:58:48 lyneutm pluto[5866]: added connection description "S_JT VPN"
2021:02:20-11:58:48 lyneutm pluto[5866]: "S_JT VPN": we have no ipsecN interface for either end of this connection

(I've inserted the <local FQDN> and <remote FQDN> to replace the actual values.)

I've tried with Dead Peer Connection both on and off with same result.

Is there a known issue with IPSec VPN restarts at reboot? Is there something I may have configured wrong?

Any info would be appreciated.



This thread was automatically locked due to age.
  • 0 in reply to BAlfson

    thanks. I made sooo many changes for many things I don't really want to go through them to figure out which one tipped the scale. thanks for your replies.

  • 0 in reply to Jean Thibodeau

    I spoke too soon. About 4 days into remote deployment of the unit, there was a power outage and the site to site VPN didn't restart when power returned. This is frustrating because 1) clearly it's intermittent and 2) I wasn't able to set up an alternate method for remote access so now I'm going to have to go on site to try to fix things - and by that I mean set up an alternate connection method since I obviously can't rely on site to site IPSec VPN functionality. This seems like a bug. Can someone with access to Sophos technical support team help find out if there's a known issue?

  • 0 in reply to Jean Thibodeau

    I should add that site to site VPN is important because the syslog server and other services for the remote site are actually running at "HQ" site so even if I'm able to find an alterative using Remote Access to get in to restart the site to site VPN, it's only a hack/workaround that's far from ideal. And I don't see an alternative such as SSL for site-to-site VPN with sonicwall so I think I'm stuck with IPSec. 

  • 0 in reply to Jean Thibodeau

    Wasn't power outage after all - it was either just an IPSec VPN outage or something else that caused the VPN to drop and not respond to incoming resquest to restart.


    Below is when things suddenly went south with VPN plus kernel errors that happened during this time. (Kernel errors happened at other times too so not sure what to make of that - bugs? bad memory? bad config?) Have since rebooted and see some occasional kernel "segfaults" but VPN has been working fine for couple of days now.


    2021:03:02-16:12:12 lyneutm pluto[12564]: shutting down
    2021:03:02-16:12:12 lyneutm pluto[12564]: forgetting secrets
    2021:03:02-16:12:12 lyneutm pluto[12564]: "S_REF_IpsSitJtVpn_0": deleting connection
    2021:03:02-16:12:12 lyneutm pluto[12564]: "S_REF_IpsSitJtVpn_0" #201: deleting state (STATE_QUICK_I2)
    2021:03:02-16:12:12 lyneutm pluto[12564]: ERROR: "S_REF_IpsSitJtVpn_0" #201: sendto on eth3 to <SonicwallIPaddr>:4500 failed in delete notify. Errno 22: Invalid argument
    2021:03:02-16:12:12 lyneutm pluto[12564]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitJtVpn" address="192.168.1.2" local_net="192.168.2.0/24" remote_net="192.168.0.0/24"
    2021:03:02-16:12:12 lyneutm pluto[12564]: "S_REF_IpsSitJtVpn_0" #200: deleting state (STATE_MAIN_I4)
    2021:03:02-16:12:12 lyneutm pluto[12564]: ERROR: "S_REF_IpsSitJtVpn_0" #200: sendto on eth3 to <SonicwallIPaddr>:4500 failed in delete notify. Errno 22: Invalid argument
    2021:03:02-16:12:12 lyneutm pluto[12564]: updown: /sbin/ip -4 route del 192.168.0.0/24 dev eth3 table main src 192.168.2.2 proto ipsec metric 0 failed with status 2:
    2021:03:02-16:12:12 lyneutm pluto[12564]: updown: RTNETLINK answers: No such process
    2021:03:02-16:12:12 lyneutm pluto[12564]: shutting down interface lo/lo ::1
    2021:03:02-16:12:12 lyneutm pluto[12564]: shutting down interface lo/lo 127.0.0.1
    2021:03:02-16:12:12 lyneutm pluto[12564]: shutting down interface lo/lo 127.0.0.1
    2021:03:02-16:12:12 lyneutm pluto[12564]: shutting down interface eth3/eth3 192.168.1.2
    2021:03:02-16:12:12 lyneutm pluto[12564]: shutting down interface eth3/eth3 192.168.1.2
    2021:03:02-16:12:12 lyneutm pluto[12564]: shutting down interface br0/br0 192.168.2.2
    2021:03:02-16:12:12 lyneutm pluto[12564]: shutting down interface br0/br0 192.168.2.2
    2021:03:02-16:12:12 lyneutm ipsec_starter[12557]: pluto stopped after 40 ms
    2021:03:02-16:12:12 lyneutm ipsec_starter[12557]: ipsec starter stopped
    2021:03:02-16:12:12 lyneutm ipsec_starter[16161]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2021:03:02-16:12:12 lyneutm ipsec_starter[16161]: could not read interface data, ignoring route
    2021:03:02-16:12:12 lyneutm ipsec_starter[16161]: no default route - cannot cope with %defaultroute!!!
    2021:03:02-16:12:12 lyneutm pluto[16174]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2021:03:02-16:12:12 lyneutm ipsec_starter[16167]: pluto (16174) started after 20 ms
    2021:03:02-16:12:12 lyneutm pluto[16174]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2021:03:02-16:12:12 lyneutm pluto[16174]: including NAT-Traversal patch (Version 0.6c)
    2021:03:02-16:12:12 lyneutm pluto[16174]: Using Linux 2.6 IPsec interface code
    2021:03:02-16:12:13 lyneutm pluto[16174]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2021:03:02-16:12:13 lyneutm pluto[16174]: loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaSigVpnSigniCa.pem'
    2021:03:02-16:12:13 lyneutm pluto[16174]: loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaVerVpnceVerifCa.pem'
    2021:03:02-16:12:13 lyneutm pluto[16174]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2021:03:02-16:12:13 lyneutm pluto[16174]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2021:03:02-16:12:13 lyneutm pluto[16174]: Changing to directory '/etc/ipsec.d/crls'
    2021:03:02-16:12:13 lyneutm pluto[16174]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2021:03:02-16:12:13 lyneutm pluto[16174]: adding interface br0/br0 192.168.2.2:500
    2021:03:02-16:12:13 lyneutm pluto[16174]: adding interface br0/br0 192.168.2.2:4500
    2021:03:02-16:12:13 lyneutm pluto[16174]: adding interface lo/lo 127.0.0.1:500
    2021:03:02-16:12:13 lyneutm pluto[16174]: adding interface lo/lo 127.0.0.1:4500
    2021:03:02-16:12:13 lyneutm pluto[16174]: adding interface lo/lo ::1:500
    2021:03:02-16:12:13 lyneutm pluto[16174]: loading secrets from "/etc/ipsec.secrets"
    2021:03:02-16:12:13 lyneutm pluto[16174]: loaded PSK secret for <sophosDNSentry> <RemoteSonicwallDNSentry>
    2021:03:02-16:12:13 lyneutm pluto[16174]: listening for IKE messages
    2021:03:02-16:12:13 lyneutm pluto[16174]: added connection description "S_REF_IpsSitJtVpn_0"
    2021:03:02-16:12:13 lyneutm pluto[16174]: "S_REF_IpsSitJtVpn_0": we have no ipsecN interface for either end of this connection

    ********* Not long after this, the following kernel errors were logged. May not be related but mention in case it is


    2021:03:02-16:12:21 lyneutm kernel: [278196.105114] confd.plx[16544]: segfault at 16c45d00 ip 00000000f75351f0 sp 00000000ff81b0e0 error 4 in libc-2.11.3.so[f74c3000+16c000]
    2021:03:02-16:12:26 lyneutm kernel: [278198.569054] confd.plx[16712]: segfault at fffffffd ip 00000000f7539961 sp 00000000ff81b298 error 5 in libc-2.11.3.so[f74c3000+16c000]
    2021:03:02-16:12:26 lyneutm kernel: [278199.119575] confd-client.pl[16716]: segfault at f7533f ip 00000000f7471bf7 sp 00000000ff949320 error 4 in libperl.so[f73e2000+14d000]
    2021:03:02-16:24:01 lyneutm kernel: [278896.550919] create_rrd_grap[20006]: segfault at 13a4cfb8 ip 00000000f753a1f0 sp 00000000ff9eab4c error 4 in libc-2.11.3.so[f74c8000+16c000]
    2021:03:02-16:24:31 lyneutm kernel: [278926.672036] confd.plx[20084]: segfault at e40b02b1 ip 00000000f71fb944 sp 00000000ff81b280 error 4 in libperl.so[f7162000+14d000]


    ********** Returning to IPsec log:


    2021:03:02-16:12:33 lyneutm pluto[16174]: adding interface eth3/eth3 192.168.1.2:500
    2021:03:02-16:12:33 lyneutm pluto[16174]: adding interface eth3/eth3 192.168.1.2:4500
    2021:03:02-16:12:33 lyneutm pluto[16174]: forgetting secrets
    2021:03:02-16:12:33 lyneutm pluto[16174]: loading secrets from "/etc/ipsec.secrets"
    2021:03:02-16:12:33 lyneutm pluto[16174]: loaded PSK secret for <sophosDNSentry> <RemoteSonicwallDNSentry>
    2021:03:02-16:12:33 lyneutm pluto[16174]: listening for IKE messages
    2021:03:02-16:12:33 lyneutm pluto[16174]: forgetting secrets
    2021:03:02-16:12:33 lyneutm pluto[16174]: loading secrets from "/etc/ipsec.secrets"
    2021:03:02-16:12:33 lyneutm pluto[16174]: loaded PSK secret for <sophosDNSentry> <RemoteSonicwallDNSentry>
    2021:03:02-16:12:33 lyneutm pluto[16174]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2021:03:02-16:12:33 lyneutm pluto[16174]: loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaSigVpnSigniCa.pem'
    2021:03:02-16:12:33 lyneutm pluto[16174]: loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaVerVpnceVerifCa.pem'
    2021:03:02-16:12:33 lyneutm pluto[16174]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2021:03:02-16:12:33 lyneutm pluto[16174]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2021:03:02-16:12:33 lyneutm pluto[16174]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2021:03:02-16:12:33 lyneutm pluto[16174]: Changing to directory '/etc/ipsec.d/crls'
    2021:03:02-16:12:33 lyneutm pluto[16174]: forgetting secrets
    2021:03:02-16:12:33 lyneutm pluto[16174]: loading secrets from "/etc/ipsec.secrets"
    2021:03:02-16:12:33 lyneutm pluto[16174]: loaded PSK secret for <sophosDNSentry> <RemoteSonicwallDNSentry>
    2021:03:02-16:12:33 lyneutm pluto[16174]: listening for IKE messages


    ********* kernel log

    2021:03:02-16:24:43 lyneutm kernel: [278938.619056] confd.plx[20104]: segfault at ffffffff ip 00000000f727a7e9 sp 00000000ff81b230 error 5 in libperl.so[f7162000+14d000]
    2021:03:02-16:25:01 lyneutm kernel: [278956.732789] confd.plx[20162]: segfault at b ip 00000000f7217ddf sp 00000000ff81b4c0 error 4 in libperl.so[f7162000+14d000]


    ********* final IPsec log entries until VPN toggled OFF/ON (a day later at 2021:03:03-18:53), which I can provide if it would help


    2021:03:02-16:12:53 lyneutm pluto[16174]: packet from <SonicwallIPaddr>:4500: Informational Exchange is for an unknown (expired?) SA
    2021:03:02-16:13:54 lyneutm pluto[16174]: packet from <SonicwallIPaddr>:4500: Informational Exchange is for an unknown (expired?) SA
    2021:03:02-16:14:55 lyneutm pluto[16174]: packet from <SonicwallIPaddr>:4500: Informational Exchange is for an unknown (expired?) SA

  • 0 in reply to Jean Thibodeau

    so this issue might be related to what ended up being memory problems. I had a number of weird, intermittent issues on top of this one so I decided to memtest things and several errors were reported. I've replace the RAM; memtested it - all good) and haven't seen the problem since. If it isn't/wasn't related to my memory problems I'll post an update.

    So no news will be good news.

Unfiltered HTML