Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 24229 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site ipsec vpn in dual wan environment, fails to start on 2nd wan interface

chrisloup

I have HQ in Singapore with dual wan over two isps. so eth4 (backupWAN) and eth1 (primaryWAN)

 

during the initial setup, it was working (ie: i was able to have two ipsec connections, with 1 being active at any time and manually toggled)

now, the site to site vpn connection over the backup wan eth4 cannot be established.

 

the remote site is in china. I'm wondering is it possible the great firewall of china is listen on one route and screwing it up but not in the other route.

 

I have asked the isp and they say nothing wrong at their end.

 

i have tried deleting all the site to site vpn information and re-setup from scratch but it doesn't work. (ie: eth1 is the only functional tunnel).

 

I noticed this behaviour occured after a firmware update several weeks ago. (probably a 9.4 version )


 

I'll post the redacted logs in the following post.

things I notice

2017:11:17-10:42:09 mail ipsec_starter[7515]: no default route - cannot cope with %defaultroute!!! (this happens with both eth4 and eth1 connections but it still allows the eth1 to form so i think its a non issue)

 

---this is eth4 failing---

2017:11:17-10:42:09 mail pluto[7528]: ERROR: "S_1HWbackupWAN" #1: sendto on eth4 to 180.111.222.333:500 failed in main_outI1. Errno 1: Operation not permitted

2017:11:17-10:42:09 mail pluto[7528]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1

--eth1 towards the end of the log will success after i reenabled the ipsec option at the remote site (ie: i turn off all ipsec connections and turn them on again when i switch from eth4 to eth1--

 

 

 

 



This thread was automatically locked due to age.
  • 0 in reply to chrisloup

    https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/80314/ipsec-site-to-site-vpn-passes-no-traffic-after-updating-to-9-406-3

    It seems that the issue i'm encountering is very similar to the above thread.

    I contacted my isp on 25th sept 2017 regarding this issue, 

     

    I think the closest update was

    2017:09:22-23:16:44 mail auisys[19496]: id="371Z" severity="info" sys="system" sub="up2date" name="Successfully installed Up2Date package" status="success" action="install" package_version="9.25312" package="aptp"

    in anycase, i got my isp to change the upstream routing on 20/11/2017 but i still cannot get things working.


  • 0 in reply to chrisloup

    cannot cope with %defaultroute!!!

    That makes me think there's an issue with the PSK and the VPN ID.  What if you redo those?

    I don't understand why you included the 2singtel Remote Gateway picture.  What happens if you use a full FQDN for Hostname in "RemoteGateway" or you choose 'VPN ID type: IP Address' and leave 'VPN ID' blank?

    With debug activated, the log is too long to read further.  I've not seen an issue here in ten year that was resolved through using debug.  If you still haven't resolved this problem:

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Show us about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I've already tried rebuilding both links. here's the current setup using vpn id = ip address

     

    initially the myrepublic connection was on eth5, but as a process of elimination i changed it to eth4 and rebuilt the interface. (also, its not dynamic, so its not the dhcp mtu bug i think)

     

    you can see the 2singtel connection is up. 

     

     

    remote gateway is common for both

    the 1myrepublic ipsec connection. (note auto firewall rules are off but there are firewall rules to allow both wan and lan connections in both directions)

    the 2singtel connection. the only difference between this one and the myrepublic connection is the local interface

     

    here is the live log with all debug off. it never proceeds past that

     

     

    if debugging is on.

     

     

     

     

     

     

     

    there is no issue pinging or traceroute via eth4

  • 0 in reply to chrisloup


    --after remote session with sophos support--


    This is a quick mail regarding what we have troubleshot during the remote session.

    > We have already checked the ipsec configuration, it seems fine.

    > You are not able to generate the ipsec tunnel from the Republic ip.

    > We took the ssh of both the side and tried to initiate connection from the Singapore side to the china side.

    Singapore IP: 103.224.165.xx
    China ip: 180.168.60.xxx

    > We grep the ipsec logs, but not able to get any thing.



    > We have also grep the tcpdump with the source ip on port 500 and 4500, but not able to get any packet.



    > We grep the tcpdump on singapore side.


    > We are able to see the traffic is going out from the UTM but not reaching towards the remote side.

    > We suggest you to please check with the ISP.

    > You are able to telnet from the internal machine on port 500 and 4500.

    > We informed you that when traffic is going out from the UTM it`s not reaching to the destination network so we can investigate further from our end.

    Please check with your ISP by initiating the traffic of port 500 and 4500.

  • 0 in reply to chrisloup

    so basically initiating the ipsec connection on the router for myrepublic doesn't detect any packets at the remote router. yet i can initiate tcp packets on a pc behind the router 

     

     

  • 0 in reply to chrisloup

    just in case, because i don't know what those error -101 mean

  • 0 in reply to chrisloup

    Try looking at the traffic going through the tunnel, Chris.  First, you need the REF_ of the IPsec Connection:

    cc get_object_by_name 'ipsec_connection' 'site_to_site' '1MyRepublic'|grep 'ref'

    Assuming that that gives you REF_IpsSit1myrepublic, you can watch inside the tunnel with:

    espdump -n --conn REF_IpsSit1myrepublic -vv

    Do you learn anything from that?

    Cheers - Bob

    PS I wouldn't worry about those -101 errors.  I see them everywhere, so I just assumed it was a debugging switch that the developer forgot to turn off when they compiled the production module.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML