This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPSEC from SG230 to Lancom 1793-4G CPU Problem

Hello,

I have a strange problem with a site-to-site tunnel from LANCOM 1793 to SG230.

Let me explain first, I have 10 tunnel site-to-site ipsec tunnel from various lancom router to the same sophos utm sg230. All working with the same IP-SEC-Policy in the lancom-router and I have also the same configurations in the lancom routers.

Now there is one connection made by an external having something special. This tunnel connects one VPN tunnel to 2 vpn tunnel in sophos.

All working well. But if I update the firmware of the lancom router from 10.32 to 10.42 or higher I get a strange problem.

The tunnel connects sometimes, sometimes not with different error messages. For example:

Zeitüberschreitung während IKE- oder IPSec-Verhandlung (Aktiver Verbindungsaufbau) [0x1106]

So yesterday evening, I did the firmware upgrade of the lancom again. I've upgraded first to 10.42 and suddenly the tunnel was connected. Never did before with that firmware. Didn't change any configuration in lancom or sophos. After I've upgraded the lancom to the last firmware 10.50 and the tunnel was also connected. This was also never done before.

That stucked me at odd. So I did a reboot of the sophos master-node (we have a fail-over cluster).

After the reboot there was a long time of sync and I've rebooted the second node too.

After both nodes were up and running I was looking at the tunnel and it won't connect anymore.

I saw that the cpu of the sophos was runnung with more than 30% constantly. So I did a top on ssh and the postgres daemon was running with 15 - 20% at least.

So my questions are:

Do you think the initiation of the vpn-connection can fail in cause of the cpu of the sophos?

Is it normal, that postgres needs such a lot of cpu on sg230? It is still like that, I checked that just before.

What can you suggest me to solve the problem?

Thanks in advance.

Best regards.



This thread was automatically locked due to age.
Parents
  • ... what I forgot, I went back to the old firmwar 10.32 on lancom and the tunnel was conneted immediately.

    But on lancom I see an errormessage:

    Kein übereinstimmendes Proposal gefunden (Passiver Verbindungsaufbau, IKE) [0x2203]

    But the tunnel is up and running.

    regards.

Reply
  • ... what I forgot, I went back to the old firmwar 10.32 on lancom and the tunnel was conneted immediately.

    But on lancom I see an errormessage:

    Kein übereinstimmendes Proposal gefunden (Passiver Verbindungsaufbau, IKE) [0x2203]

    But the tunnel is up and running.

    regards.

Children
  • You may want to do a couple of things:

    Post the logs from UTM of the tunnel disconnecting.

    Contact Lancom to see if they can see any errors of their own device(s) with the tunnel.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)