Thread Info
  • Locked Locked
  • Replies 20 replies
  • Subscribers 5 subscribers
  • Views 42240 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Site-to-Site VPN passes no traffic after updating to 9.406-3

Trane Francks

Greetings, folks.

"Successfully" updated 1 x SG230 and 2 x SG115 to 9.406-3 this morning only to get reports that the site-to-site VPN was not working. Sure enough, no traffic is being passed across the IPsec VPN tunnels. The log files were showing errors suggestive of configuration mismatches, e.g, "max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal". I tore down and re-created the remote gateways and IPsec connections.

After redoing the VPN configurations, the tunnels show connected and Live Log shows no errors whatsoever. The connections get their usual 'refreshes', everything is green and active. Alas, absolutely 0 bytes of data go back and forth. Accessing server shares, DNS, AD, etc., is not happening.


The client is being very good about things so far, but I need to fix this and I simply have no idea of where to start. The configuration is correct, the firewall rules are in place to allow traffic on all services and yet 0 traffic. All from one reboot to the next.

Ideas?



This thread was automatically locked due to age.

  • From which version did you upgrade? Version before 9.405? If so, you may suffer from the MTU DHCP bug where your provider sends a way too low MTU for your WAN connection (usually 1500).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • This might seem obvious, but you're not running into a firewall issue now are you? 

  • in reply to rsenio

    rsenio said:

    This might seem obvious, but you're not running into a firewall issue now are you? 

    One would sincerely hope not. The automatic firewall rules that were in place prior to the upgrade were working fine. After tearing down and rebuilding all the gateways and IPsec connections, check the rules were in place, same scenario. The firewall Live Log shows no packets being dropped for the s2s-vpns.

    I got nothin'.

  • in reply to apijnappels

    apijnappels said:

    From which version did you upgrade? Version before 9.405? If so, you may suffer from the MTU DHCP bug where your provider sends a way too low MTU for your WAN connection (usually 1500).

    We upgraded from 9.504. As well, the units are on fixed IPs with MTU @ 1454 (the usual for Japan PPPoE connections). That WAN interfaces themselves work just fine. Only the VPN side of the connections are borked.

  • This just goes from bad to worse.

    One of the s2s-vpns has been working sporadically for no known reason. It suddenly just quit completely and now the 'hq' firewall  is showing this in the live log:

    sendto on ppp0 to xxx.xxx.xxx.xxx:500 failed in main_outI1. Errno 1: Operation not permitted

    That tells me that the firewall is now blocking VPN traffic, yet the bloody HQ firewall has not seen a configuration change or a reboot.

    I love Sophos firewalls, but this firmware release seems to have been half-baked at best. I don't even have any hair to pull out in the frustration I'm experiencing here.

  • in reply to rsenio

    Thanks for the suggestion. Alas, they aren't really related issues. The "sendto on ppp0 to xxx.xxx.xxx.xxx:500 failed in main_outI1. Errno 1: Operation not permitted" was cleared by rebooting the main SG230. It should not be necessary to reboot production firewalls several times/day.

    Current status: One VPN sporadically works; the other still does not pass any traffic whatsoever through the tunnel.

    I will not be updating my other clients to this firmware revision.

  • Hi Trane, 

    Your problem sounds very similar to mine (https://community.sophos.com/products/unified-threat-management/f/58/t/79896). Down to the fact that it does sporadically decide to start working. I do have an active case with Sophos which has been going for a few weeks now. Last i heard it has apparently been 'escalated'. 

    In my case we were  able to determine that it is actually only one side that has decided to not send anything down the tunnel (which makes it look like nothing at all is happening in the tunnel). I used espdump  (guide here: https://community.sophos.com/kb/en-US/115702) to monitor the traffic and can clearly see activity on and from the remote side, but nothing on the HQ side. 

    Is the same thing happening on yours?

    I know this doesn't offer a solution to your problem, but i'm thinking if it does turn out to be very similar issues it kind of does point to being a bug in the firmware. And maybe someone at Sophos will take note and speed things along a bit. 

  • in reply to PatrickChung

    Hi, Patrick.

    Well, well, well. That certainly seems to be a similar, if not identical, problem. Unfortunately, I don't have any easy means of running espdump as I administer this network from half-way across Japan. I've now got a support ticket open with the Japanese reseller and will escalate it to Sophos proper should it remain unresolved for any length of time. For the one branch office, I resorted to implementing network logon PPTP VPN on each of the desktops. It's a small office, so not really a bother.

    I do hope it gets sorted quickly, though. Thanks for your input!

  • in reply to Trane Francks

    Guys, have you tried restoring the backup done automatically before you applied these latest Up2Dates?  If that didn't straighten things out, does a reboot?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML