This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN with Meraki MX "disconnects"

Our IPSec VPN connection between a Sophos UTM (server) and Cisco Meraki MX (client) used to work just fine, but we didn't use it for a few weeks while testing a security appliance. Now, when have switched it back on, it keep "disconnecting" every 12 hours or so. Well, I am not sure if I should actually say "disconnecting" because both appliances claim that the connection is up. However, it is not possible to ping any devices.

Here is a copy of the UTM log:

2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: initiating Main Mode to replace #23
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: received Vendor ID payload [XAUTH]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: ignoring Vendor ID payload [Cisco-Unity]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: received Vendor ID payload [RFC 3947]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: received Vendor ID payload [Dead Peer Detection]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: enabling possible NAT-traversal with method 3
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: received Vendor ID payload [Dead Peer Detection]
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: Peer ID is ID_IPV4_ADDR: '108.xxx.xxx.xxx'
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: Dead Peer Detection (RFC 3706) enabled
2017:12:17-17:58:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #30: ISAKMP SA established
2017:12:17-22:51:17 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #31: responding to Quick Mode
2017:12:17-22:51:17 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #31: IPsec SA established {ESP=>0x054606b6 <0x1aeff575 DPD}
2017:12:17-22:51:33 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #32: responding to Quick Mode
2017:12:17-22:51:33 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #32: IPsec SA established {ESP=>0x0a623787 <0x6836e0ac DPD}
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: initiating Main Mode to replace #27
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: received Vendor ID payload [XAUTH]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: ignoring Vendor ID payload [Cisco-Unity]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: received Vendor ID payload [RFC 3947]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: received Vendor ID payload [Dead Peer Detection]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: enabling possible NAT-traversal with method 3
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: received Vendor ID payload [Dead Peer Detection]
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: Peer ID is ID_IPV4_ADDR: '108.xxx.xxx.xxx'
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: Dead Peer Detection (RFC 3706) enabled
2017:12:18-00:22:46 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #33: ISAKMP SA established
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: initiating Main Mode to replace #30
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: received Vendor ID payload [XAUTH]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: ignoring Vendor ID payload [Cisco-Unity]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: received Vendor ID payload [RFC 3947]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: received Vendor ID payload [Dead Peer Detection]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: enabling possible NAT-traversal with method 3
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: received Vendor ID payload [Dead Peer Detection]
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: Peer ID is ID_IPV4_ADDR: '108.xxx.xxx.xxx'
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: Dead Peer Detection (RFC 3706) enabled
2017:12:18-01:48:30 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #34: ISAKMP SA established
2017:12:18-05:15:17 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #35: responding to Quick Mode
2017:12:18-05:15:17 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #35: IPsec SA established {ESP=>0x008ba779 <0x8549f156 DPD}
2017:12:18-05:15:33 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #36: responding to Quick Mode
2017:12:18-05:15:33 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_1"[2] 108.xxx.xxx.xxx:4500 #36: IPsec SA established {ESP=>0x00aef0e8 <0xfc15c757 DPD}
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: initiating Main Mode to replace #33
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: received Vendor ID payload [XAUTH]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: ignoring Vendor ID payload [Cisco-Unity]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: received Vendor ID payload [RFC 3947]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: received Vendor ID payload [Dead Peer Detection]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: enabling possible NAT-traversal with method 3
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: received Vendor ID payload [Dead Peer Detection]
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: Peer ID is ID_IPV4_ADDR: '108.xxx.xxx.xxx'
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: Dead Peer Detection (RFC 3706) enabled
2017:12:18-08:12:32 vpn pluto[5639]: "S_REF_IpsSitHomeOffice_0"[2] 108.xxx.xxx.xxx:4500 #37: ISAKMP SA established

I have reset the connection at 8:12:32 in the morning.

 

And, here is a copy of the Cisco Meraki log (newest first):

12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=3954588980(0xebb63d34)"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=158523040(0x972dea0)"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=2089720425(0x7c8e9a69)"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=230688225(0xdc005e1)"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:b9b1494c9a66dc21:b9e76dfea26a140f"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]&lt;=&gt;192.198.xxx.xxx[500]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: phase1 negotiation failed due to time up. 3336d6acd6937d2d:ad0171cbc22a8d42"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.198.xxx.xxx[0]-&gt;108.xxx.xxx.xxx[0]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.198.xxx.xxx[0]-&gt;108.xxx.xxx.xxx[0]"
12/18/2017 8:46        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:45        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:45        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:45        Non-Meraki / Client VPN negotiation    "msg: ignore information because ISAKMP-SA has not been established yet."
12/18/2017 8:45        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]&lt;=&gt;192.198.xxx.xxx[500]"
12/18/2017 8:12        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:cd6c36d9a4ec966d:ff844b42146d879d"
12/18/2017 8:12        Non-Meraki / Client VPN negotiation    "msg: renegotiating phase1 to 192.198.xxx.xxx due to active phase2"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-MESSAGE-ID received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-ID-INFORMATION received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-MESSAGE-ID received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-ID-INFORMATION received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-ID-INFORMATION received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-MESSAGE-ID received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: notification INVALID-ID-INFORMATION received in informational exchange."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=1886330414(0x706f1e2e)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=196593425(0xbb7c711)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:11289a46c91f56ad:68c1afbe3f149b5d"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]&lt;=&gt;192.198.xxx.xxx[500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: unknown Informational exchange received."
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=1591540275(0x5edcfa33)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=64989369(0x3dfa8b9)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:2f8a3f6d7df722ba:9e6d4db19d5d7a93"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=1953692317(0x7472fa9d)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=244177405(0xe8dd9fd)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=2887914446(0xac2213ce)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=165247522(0x9d97a22)"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:ba6541d4081a4f69:88e40ba2a7b47420"
12/18/2017 6:52        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]&lt;=&gt;192.198.xxx.xxx[500]"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=4229285719(0xfc15c757)"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=11464936(0xaef0e8)"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=2236215638(0x8549f156)"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=9152377(0x8ba779)"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 5:15        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/18/2017 1:58        Non-Meraki / Client VPN negotiation    "msg: unknown Informational exchange received."
12/18/2017 1:48        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:ba0ebeb3c0c3ae8a:ac8ee5db5decf03d"
12/18/2017 0:22        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:9b462bd8c9c55256:91e498e64f896fcf"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=1748426924(0x6836e0ac)"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=174208903(0xa623787)"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=451933557(0x1aeff575)"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: IPsec-SA established: ESP/Tunnel 108.xxx.xxx.xxx[4500]-&gt;192.198.xxx.xxx[4500] spi=88475318(0x54606b6)"
12/17/2017 22:51        Non-Meraki / Client VPN negotiation    "msg: initiate new phase 2 negotiation: 108.xxx.xxx.xxx[4500]&lt;=&gt;192.198.xxx.xxx[4500]"
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 21:19        Non-Meraki / Client VPN negotiation    "msg: Invalid exchange type 243 from 197.158.83.166[500]."
12/17/2017 17:58        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:38f2d760483fb829:098f10d365f71d2e"
12/17/2017 17:58        Non-Meraki / Client VPN negotiation    "msg: ISAKMP-SA established 108.xxx.xxx.xxx[4500]-192.198.xxx.xxx[4500] spi:38f2d760483fb829:098f10d365f71d2e"

 

Based on a log entry in our PBX system, the local phones got "disconnected" starting 10:52 pm on 12/17, but I don't see any unusual messages in the log except the ones with IPs that don't belong to me.

Any help is appreciated!



This thread was automatically locked due to age.
Parents
  • Hi Jens,

    Does doing #1 in Rulz give any insights?

    If you want to pursue this here, please insert pictures of the Edits of the IPsec Connection, Remote Gateway and IPsec Policy. Likewise for the same information from the Meraki.  Also, some log lines from the IPsec log around 10:52 (adjusted for any time difference between the PBX and UTM).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Yes, I have checked the Intrusion log and there is nothing in it.

    Today, the problem actually got worse. I encountered a power outage in my home office (Cisco Meraki) and I haven't been able to reestablish an IPSec VPN to the Sophos at all now.

    Here are the requested configuration pictures:

     

    Log on Sophos UTM:

    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: received Vendor ID payload [RFC 3947]
    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2017:12:19-20:18:21 vpn pluto[5482]: packet from 108.xxx.xxx.xxx:500: received Vendor ID payload [Dead Peer Detection]
    2017:12:19-20:18:21 vpn pluto[5482]: "S_vpn.office"[1] 108.xxx.xxx.xxx #310: responding to Main Mode from unknown peer 108.xxx.xxx.xxx
    2017:12:19-20:18:24 vpn pluto[5482]: "S_vpn.office"[1] 108.xxx.xxx.xxx #310: ERROR: asynchronous network error report on eth1 for message to 108.xxx.xxx.xxx port 500, complainant 108.221.23.56: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
    2017:12:19-20:18:24 vpn pluto[5482]: "S_vpn.office"[1] 108.xxx.xxx.xxx #309: ERROR: asynchronous network error report on eth1 for message to 108.xxx.xxx.xxx port 500, complainant 108.221.23.56: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
    2017:12:19-20:18:26 vpn pluto[5482]: "S_vpn.office"[1] 108.xxx.xxx.xxx #305: max number of retransmissions (2) reached STATE_MAIN_R1
     

    And the log from the Meraki:

    Dec 19 20:18:43        Non-Meraki / Client VPN negotiation    msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.xxx.xxx.xxx[0]->108.xxx.xxx.xxx[0]
    Dec 19 20:18:12        Non-Meraki / Client VPN negotiation    msg: initiate new phase 1 negotiation: 108.xxx.xxx.xxx[500]<=>192.xxx.xxx.xxx[500]
    Dec 19 20:18:10        Non-Meraki / Client VPN negotiation    msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.xxx.xxx.xxx[0]->108.xxx.xxx.xxx[0]
    Dec 19 20:18:05        Non-Meraki / Client VPN negotiation    msg: phase2 negotiation failed due to time up waiting for phase1. ESP 192.xxx.xxx.xxx[0]->108.xxx.xxx.xxx[0]

     

    I have compared the configuration between both devices over and over. Also deleted all VPN related configuration on both appliances and re-created them from scratch. Assigned new pre-shared keys.

    Also talked to Meraki support. They were helpful, but couldn't find anything wrong with configuration. Called the ISP. No, nothing is blocked, modem didn't get updated and the configuration didn't change.

    I have been using Sophos and VPN connections to various third party systems for years now, but I am stunned by this behavior.

    Any ideas?

  • Thanks for the pics, Jens - that looks good.  Do you need Strict Routing?

    Are there any hints in the firewall log at 10:52 on the 17th?

    The logs you showed for the UTM and the Meraki don't cover the same time frame.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, I don't need strict routing and can turn it off.

    I tried to find the closest entries possible from a time point of view. I can get some new ones if that helps, but it is always the same pattern.

    Here is a copy of the firewall log for the time indicated in your post:

    2017:12:17-10:52:01 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="85.93.20.22" dstip="192.xxx.xxx.xx2" proto="6" length="52" tos="0x0a" prec="0x20" ttl="105" srcport="9" dstport="4444" tcpflags="SYN" 
    2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx8" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
    2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx9" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
    2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx0" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
    2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx1" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
    2017:12:17-10:52:03 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3441" app="1089" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="81.240.111.95" dstip="192.xxx.xxx.xx2" proto="17" length="78" tos="0x08" prec="0x40" ttl="107" srcport="61990" dstport="137" 
    2017:12:17-10:52:07 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="85.93.20.22" dstip="192.xxx.xxx.xx2" proto="6" length="48" tos="0x08" prec="0x20" ttl="105" srcport="9" dstport="4444" tcpflags="SYN" 
    2017:12:17-10:52:18 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx8" proto="6" length="52" tos="0x08" prec="0x20" ttl="46" srcport="7401" dstport="445" tcpflags="SYN" 
    2017:12:17-10:52:19 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx9" proto="6" length="52" tos="0x08" prec="0x20" ttl="47" srcport="44478" dstport="445" tcpflags="SYN" 
    2017:12:17-10:52:20 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx0" proto="6" length="52" tos="0x08" prec="0x20" ttl="46" srcport="23618" dstport="445" tcpflags="SYN" 
    2017:12:17-10:52:21 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx1" proto="6" length="52" tos="0x08" prec="0x20" ttl="46" srcport="16723" dstport="445" tcpflags="SYN" 
    2017:12:17-10:52:22 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="183.62.57.217" dstip="192.xxx.xxx.xx2" proto="6" length="52" tos="0x08" prec="0x20" ttl="46" srcport="23630" dstport="445" tcpflags="SYN" 
    2017:12:17-10:52:26 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="139.60.160.251" dstip="192.xxx.xxx.xx2" proto="6" length="40" tos="0x08" prec="0x40" ttl="235" srcport="43364" dstport="50590" tcpflags="SYN" 
    2017:12:17-10:52:53 vpn ulogd[4768]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60004" initf="eth1" srcmac="00:25:84:2e:24:ff" dstmac="00:1a:8c:41:02:89" srcip="61.138.232.34" dstip="192.xxx.xxx.xx8" proto="6" length="44" tos="0x08" prec="0x20" ttl="47" srcport="49054" dstport="22" tcpflags="SYN"

    Sadly, I don't see anything unusual in the firewall.

    Can a Windows machine connect to the IPSec VPN? This would indicate that the problem is with the Cisco Meraki.

  • Is either the Meraki or the UTM behind a NATting router?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The UTM sits in a data center and has no router. Basically, the UTM is directly using a block of IPs.

    That said, the Cisco Meraki sits in a home office using ATT Business Internet. ATT says the modem is in "bridge mode", but that doesn't seem to be an equivalent of the bridge mode I have used with Comcast before. Essentially, the Meraki is acting as a DHCP client getting the external IP from the ATT modem.

  • I have an update on this. After doing a lot of testing involving a second Sophos appliance, it was determined that there is some kind of problem with the Cisco Meraki. I will run a few more tests with Cisco next week, but this seems to turn into some kind of hardware issue and I am expecting to get an RMA # next week.

    I will post another update if there are additional news or findings.

    Thank you for your help, Bob!

Reply
  • I have an update on this. After doing a lot of testing involving a second Sophos appliance, it was determined that there is some kind of problem with the Cisco Meraki. I will run a few more tests with Cisco next week, but this seems to turn into some kind of hardware issue and I am expecting to get an RMA # next week.

    I will post another update if there are additional news or findings.

    Thank you for your help, Bob!

Children
  • Hi Jens,

    Is there issue cleared? I had a similar problem. 

    Best regard,

    Tomoaki

  • Hi Tomoaki and welcome to the UTM Community!

    Another issue could be that the Meraki is not configured for Anti-Replay.  That is on by default in the UTM and cannot be disabled.  A mismatch can cause the tunnel to appear to be established, but fail to pass traffic.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thank you for your support. Yes, my problem is fail to pass the traffic when the SA appeared to be established. And it cause in 3 to 4 hour cycle.
    I configured phase 2 lifetime to change 3600s from 28800s(meraki default), and traffic can pass now without causing problems.
    But if Anti-Replay cause issue, my workaround can not fix.

     

    Best regards,

    Tomoaki

  • My apologies. I normally remember to update my threads if I come across a solution, but I somehow forgot about this one.

    You probably won't like the answer, but after extensive testing I fond that the issue is caused by the firmware used in ATT's modems (I have tested two different modems offered in my area with the same result). Depending on the modem, this mode might be called somewhat different in your configuration (e.g. DMZ mode).

    Basically, if you are setting the modem to pass through mode (that's ATT's recommendation if you are using an appliance like Sophos behind their modem), the modem might temporarily work, but it will eventually disconnect. Finally, someone from ATT confirmed that their DMZ mode is not working properly with IPSec (apparently it blocks IPSec ESP). So, it seems to be a known problem to senior in-house technicians, but apparently there is no ETA for a firmware fix and it has been broken for months now (for me it broke sometime late last year when my modem opted for a firmware upgrade).

    So, the only solution I could find is to switch the modem to the custom mode that allows you specify allowed applications. Once that is switched, you will have to add IPSec ESP, IPSec IKE and ICMP Echo (not sure if the last one is required).

    That's currently the only way this works for me. Please note that this configuration will prevent you from using IPv6 from what I can see. Furthermore, I found that I have to reset my modem every 6-8 weeks or it might simply refuse to allow IPSec altogether.

    Sorry, I really wish I would have better news. It beats me why something so widely used by business users is not getting fixed by ATT Business. I also found it frustrating to communicate with ATT support who frequently is just asking you to reboot the modem. Very disappointing!

    Please let me know if you find a better solution. Maybe using a different modem model? My technician suggested that they do have a newer modem available, but he didn't have any in stock. I guess I can try to follow up with them to see if it is available now. Considering that the same firmware issue can be found in all the modems I have tested, it is more than likely that this is more like a firmware policy issue than an actual issue.

    Anyhow, I am happy to do some more testing if anyone has any new suggestions.

  • Hi Jens,

    Thank you for your comments. Sorry. My situation is little bit different and my Meraki MX and Sophos UTM are direct connect to the Internet. There are not using ATT.
    But I sympathize with your frustrating.

    My idea the issue is caused by MX and UTM of different IPsec specification.
    I done "Make a wish" of Meraki MX for I hope to change IPsec feature.

    Best regards,

    Tomoaki

  • Thanks for letting us know, Jens.  We threw out AT&T two years ago because their techs couldn't get the pass-through to work consistently and it broke every time the modem lost power and at other mysterious times.  They offered to let me talk to their senior people for $150/hr.    I have several, larger clients using AT&T with no problems, but none that are small.  It's good to know that you found a workaround.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hmmm, I am using the same hardware, but I am not encountering the same problem.

    Would it help if I share my settings? I can take some screenshots as needed.

  • Thank you Bob!

    Yep. It's either way paying $150 per hour or you bugging them on a daily basis until they give in and connect you to someone who knows more. Sadly, it seems that ATT doesn't even listen to its own people reporting issues...

    Anyhow, thank you for free advise to people here since the early days when Sophos was still Astaro. I always appreciate your input and feedback! You are one of the most knowledgeable people on here. People like you make this community great.

    Cheers,

    Jens

  • FYI

    I contact to Meraki Support and I got  update. Now, Meraki MX support for Anti-Replay.

  • Glad to hear that your problem has been resolved!