This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Site-to-Site VPN passes no traffic after updating to 9.406-3

Greetings, folks.

"Successfully" updated 1 x SG230 and 2 x SG115 to 9.406-3 this morning only to get reports that the site-to-site VPN was not working. Sure enough, no traffic is being passed across the IPsec VPN tunnels. The log files were showing errors suggestive of configuration mismatches, e.g, "max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal". I tore down and re-created the remote gateways and IPsec connections.

After redoing the VPN configurations, the tunnels show connected and Live Log shows no errors whatsoever. The connections get their usual 'refreshes', everything is green and active. Alas, absolutely 0 bytes of data go back and forth. Accessing server shares, DNS, AD, etc., is not happening.

The client is being very good about things so far, but I need to fix this and I simply have no idea of where to start. The configuration is correct, the firewall rules are in place to allow traffic on all services and yet 0 traffic. All from one reboot to the next.

Ideas?

This thread was automatically locked due to age.

Parents

Trane Francks over 8 years ago

This just goes from bad to worse.

One of the s2s-vpns has been working sporadically for no known reason. It suddenly just quit completely and now the 'hq' firewall is showing this in the live log:

sendto on ppp0 to xxx.xxx.xxx.xxx:500 failed in main_outI1. Errno 1: Operation not permitted

That tells me that the firewall is now blocking VPN traffic, yet the bloody HQ firewall has not seen a configuration change or a reboot.

I love Sophos firewalls, but this firmware release seems to have been half-baked at best. I don't even have any hair to pull out in the frustration I'm experiencing here.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

Trane Francks over 8 years ago

This just goes from bad to worse.

One of the s2s-vpns has been working sporadically for no known reason. It suddenly just quit completely and now the 'hq' firewall is showing this in the live log:

sendto on ppp0 to xxx.xxx.xxx.xxx:500 failed in main_outI1. Errno 1: Operation not permitted

That tells me that the firewall is now blocking VPN traffic, yet the bloody HQ firewall has not seen a configuration change or a reboot.

I love Sophos firewalls, but this firmware release seems to have been half-baked at best. I don't even have any hair to pull out in the frustration I'm experiencing here.
Cancel
Vote Up 0 Vote Down

Cancel

Children

rsenio over 8 years ago in reply to Trane Francks

Without knowing exactly what you've got going on there, all I can offer are threads with the same issue

https://community.sophos.com/products/unified-threat-management/f/58/t/55365

https://community.sophos.com/products/unified-threat-management/f/58/t/53868
Cancel
Vote Up 0 Vote Down

Cancel
Trane Francks over 8 years ago in reply to rsenio

Thanks for the suggestion. Alas, they aren't really related issues. The "sendto on ppp0 to xxx.xxx.xxx.xxx:500 failed in main_outI1. Errno 1: Operation not permitted" was cleared by rebooting the main SG230. It should not be necessary to reboot production firewalls several times/day.

Current status: One VPN sporadically works; the other still does not pass any traffic whatsoever through the tunnel.

I will not be updating my other clients to this firmware revision.
Cancel
Vote Up 0 Vote Down

Cancel