Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 28997 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Azure Site to site unstable

MarkMurphy
I have gotten the firewall to connect to Azure and can connect to vm's just fine. however the connection resets ever few min and reconnects. the following is the logs when this reconnect occurs. I have setup policy according to what Microsoft has documented. any ideas from this log as to what may be going on? Using latest ver. of UTM


2014:06:02-19:52:48 edge pluto[25476]: "S_Azure" #12: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) 
2014:06:02-19:52:48 edge pluto[25476]: "S_Azure" #12: sending encrypted notification INVALID_MESSAGE_ID to 23.96.51.217:500 
2014:06:02-19:53:03 edge pluto[25476]: "S_Azure" #12: received Delete SA payload: replace IPSEC State #13 in 10 seconds 
2014:06:02-19:53:03 edge pluto[25476]: "S_Azure" #12: received Delete SA payload: deleting ISAKMP State #12 
2014:06:02-19:53:03 edge pluto[25476]: packet from 23.96.51.217:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001] 
2014:06:02-19:53:03 edge pluto[25476]: packet from 23.96.51.217:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009] 
2014:06:02-19:53:03 edge pluto[25476]: packet from 23.96.51.217:500: ignoring Vendor ID payload [RFC 3947] 
2014:06:02-19:53:03 edge pluto[25476]: packet from 23.96.51.217:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
2014:06:02-19:53:03 edge pluto[25476]: packet from 23.96.51.217:500: ignoring Vendor ID payload [FRAGMENTATION] 
2014:06:02-19:53:03 edge pluto[25476]: packet from 23.96.51.217:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] 
2014:06:02-19:53:03 edge pluto[25476]: packet from 23.96.51.217:500: ignoring Vendor ID payload [Vid-Initial-Contact] 
2014:06:02-19:53:03 edge pluto[25476]: packet from 23.96.51.217:500: ignoring Vendor ID payload [IKE CGA version 1] 
2014:06:02-19:53:03 edge pluto[25476]: "S_Azure" #14: responding to Main Mode 
2014:06:02-19:53:03 edge pluto[25476]: "S_Azure" #14: Peer ID is ID_IPV4_ADDR: '23.96.51.217' 
2014:06:02-19:53:03 edge pluto[25476]: "S_Azure" #14: sent MR3, ISAKMP SA established 
2014:06:02-19:53:03 edge pluto[25476]: "S_Azure" #14: cannot respond to IPsec SA request because no connection is known for 192.168.21.0/24===69.14.191.53[69.14.191.53]...23.96.51.217[23.96.51.217]===192.168.50.0/24 
2014:06:02-19:53:03 edge pluto[25476]: "S_Azure" #14: sending encrypted notification INVALID_ID_INFORMATION to 23.96.51.217:500 
2014:06:02-19:53:04 edge pluto[25476]: "S_Azure" #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) 
2014:06:02-19:53:04 edge pluto[25476]: "S_Azure" #14: sending encrypted notification INVALID_MESSAGE_ID to 23.96.51.217:500 
2014:06:02-19:53:05 edge pluto[25476]: "S_Azure" #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) 
2014:06:02-19:53:05 edge pluto[25476]: "S_Azure" #14: sending encrypted notification INVALID_MESSAGE_ID to 23.96.51.217:500 
2014:06:02-19:53:08 edge pluto[25476]: "S_Azure" #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) 
2014:06:02-19:53:08 edge pluto[25476]: "S_Azure" #14: sending encrypted notification INVALID_MESSAGE_ID to 23.96.51.217:500 
2014:06:02-19:53:13 edge pluto[25476]: "S_Azure" #15: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #13 {using isakmp#14} 
2014:06:02-19:53:13 edge pluto[25476]: "S_Azure" #15: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag 
2014:06:02-19:53:13 edge pluto[25476]: "S_Azure" #15: sent QI2, IPsec SA established {ESP=>0x98ba8372 


This thread was automatically locked due to age.
Parents
  • 0
    At first, I thought it might be a timeout issue or DPD since you said the problem occurred after an hour (3600 seconds).

    Now, I don't think this is an IPsec issue, rather a hardware or layer-2 problem.  Do you have 'Support Path MTU discovery' selected in the Remote Gateway?  If that didn't fix this, then also try lowering the MTU on the Ethernet interface.  If that doesn't work, run ifconfig eth1 at the command line and consult #7 in Rulz.  Any luck?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    At first, I thought it might be a timeout issue or DPD since you said the problem occurred after an hour (3600 seconds).

    Now, I don't think this is an IPsec issue, rather a hardware or layer-2 problem.  Do you have 'Support Path MTU discovery' selected in the Remote Gateway?  If that didn't fix this, then also try lowering the MTU on the Ethernet interface.  If that doesn't work, run ifconfig eth1 at the command line and consult #7 in Rulz.  Any luck?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML