IPSec VPN keeps down after DSL lines reconnects...

Hi,

Please post IPsec logs. 

Thanks

Hi Sachin,

we have posted some logs and more and more users report the same problem.

Seems to be a firmware-bug isnt it? will it be fixed and when?

Can we get a hotfix from support for this or will it be in next GA-Update?

From Sophos I get this Number for the problem NUTM-4173 

Hi All,

This is bug NUTM-4173. A fix will be provided in next firmware release.

Thanks

When will Sophos release a fix? We are waiting!

Restarting VPN every night is way beyond annoying. [:@]

agree !!

Hello,

"FORUM THREAD QUESTION: SOLVED" ?

Nothing is solved!  You post that Sophos fix this in next firmware release.......when is next? ....date?.....

In my case, i fix this with a cron job every night after reconnect of DSL -Lines. The UTM reboots 3 minutes after reconnect,

which is only possible because at night we have no critical connections.

agree.. chanced that back to unsolved.. its not solved for me at all....

Hi, Dirk, and welcome to the UTM Community!

None of my clients have, to my knowledge, these problems.  Just because a new version was released doesn't mean you should adopt it.

Cheers - Bob

Hi Bob,

thank´s für your reply, but it´s not realy helpful.

Just because you do not have the problem, it is not of it does not exist!

I thought the firmware is tested before release. But that's not so, and we are the endtester!

Cheers - Dirk :-)

Hi Bob,

your Answer is realy not very helpfull.

1st:  I  surely want ( and must for compliance reasons ) update to the latest firmware since otherwise the latest security fixes will not be applied.

Wasn't Sophos UTM something about security .... 

2nd:  Even if you don't know me , I do have the same Problems with multiple PPPOE ( VDSL) links on one firewall for years now as I already stated before and these Problems are ignored since 9.2 with similar helpfull comments like yours.

3rd:  I don't know how many customers you have in Oklahoma that use multiple VDSL connections from the Deutsche Telekom that are disconnected every day for one second . with site to site IPSEC VPNs . Let me guess but I think the number should be near Zero .

So lets please try to get the Sophos People to accept that there is a Problem because it is and its their Job to fix their Product !!!!

I still must reboot to the firewalls every night after the Telekom diconnect to get the VPNs up again.

Probably a workover of the PPPOE start/stop script mechanism, specially the firewall settings for the interfaces, would help, as far as I see ipsec is blocked on some interfaces by rule after the reconnect ....

BTW: Me and my Bosses are realy not very amused if whole locations cannot work !

Best

Helmut 

something maybe helpful for you:

- reboot isnt needed at all but easiest way (can put it in cron..).
you can set a debug option (Site2site VPN / IpSec / Debug / Control flow) apply it / deset it and apply and all ipsec vpn are up again.

i have 3 DSL Lines i use on my cluster (Deutsche Telekom) one is VDSL and 2 are DSL 16K... On my VDSL Line i disabled  "Daily reconnect" under Interfaces / Advanced.. that helps for that line (no more reconnects) but the other two will disconnect every 24h per definition from the provider..

hope the fix will come soon... its definitly a firmware bug... worked without probllems until 9.355.. since 9.4x its broken...

something maybe helpful for you:

- reboot isnt needed at all but easiest way (can put it in cron..).
you can set a debug option (Site2site VPN / IpSec / Debug / Control flow) apply it / deset it and apply and all ipsec vpn are up again.

i have 3 DSL Lines i use on my cluster (Deutsche Telekom) one is VDSL and 2 are DSL 16K... On my VDSL Line i disabled  "Daily reconnect" under Interfaces / Advanced.. that helps for that line (no more reconnects) but the other two will disconnect every 24h per definition from the provider..

hope the fix will come soon... its definitly a firmware bug... worked without probllems until 9.355.. since 9.4x its broken...

Hi zaphot,

thanks for the hint :)

I have 3 Systems with 2 VDSL links  each 

I reboot it via cron because i don't want to be awake every night at 5am since over the night most of the site replication happens,

what makes it even more strange is that for me it worked on a new SG125 with 9.355... up to 9.4 then it was broken

on the other 2 "older" systems it did not work since 9.2   

I first restarted the complete pppoe and ipsec stack ...  did not work at all

before Astaro/Sophos i used my own Unix/Linux Firewalls since 1993 !!! with at last iptables/strongswan/snort but I switched because of the "better" professional Service and the nice Web interface for configuration. I never had Problem Fix times  like that before. And I'm realy very upset about the behavior of Sophos Support.

We all payed for a working system as defined and they have to deliver , fullstop !

cheers

Helmut

Hi Helmut,

i noticed the bug since 9.4x.. before it all worked without problems (on ASG at work since 5.x)..

so yes we all know its a firmware bug and Sophos have to fix it.

Yes, this seems to work, for now. Thank you

I realy don't believe that Sophos still ignores us they must love their paying customers .

The Problem is not solved ! 

The Firmware is not updated and it will not work out of the Box.

It is still a faulty Software and nothing will change , it did not change for long time. 

What happens it the connection drops on a different time lets say 22:10, do you really want to wait almost 24 hrs in that case

or is Sophos willing to fix the Bug ?

Cheers

Helmut