This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

automatic IPSec reconnect to Azure is not working

Hello,

we are using a XG310 (SFOS 18.0.3 MR-3) and use a IPSec tunnel to Azure to use the Azure AD on the XG310. That works well.

But when the IPSec connection is lost, the XG is not reconnecting to the Azure VPN Gateway. I have no Error Information in the Logviewer.

Wenn I reconnect the IPSec Connectivity manuell it is working again till the EOL.

I read a lot about issues in older Firmware Versions, but i thought the problem should be fixed.

Our IPSec policy:

Is there a mistake in my configuration or are there known bugs?
Thanks and best regards!


This thread was automatically locked due to age.
Parents Reply Children
  • Hello Emmanuel,

    i found the following information in /log/strongswan.log:

    2020-12-02 17:53:41 08[NET] <IPSec_to_Azure-1|120> received packet: from AZURE_PUBLIC_IP[500] to SOPHOS_EXTERNAL_IP[500] (80 bytes)
    2020-12-02 17:53:41 08[ENC] <IPSec_to_Azure-1|120> parsed INFORMATIONAL request 1220 [ D ]
    2020-12-02 17:53:41 08[IKE] <IPSec_to_Azure-1|120> received DELETE for ESP CHILD_SA with SPI 894f1cf6
    2020-12-02 17:53:41 08[IKE] <IPSec_to_Azure-1|120> closing CHILD_SA IPSec_to_Azure-1{50} with SPIs c223fd
    e2_i (2752 bytes) 894f1cf6_o (954 bytes) and TS 192.168.100.0/22 === 10.0.0.0/242020-12-02 17:53:41 08[IKE] <IPSec_to_Azure-1|120> sending DELETE for ESP CHILD_SA with SPI c223fde2
    2020-12-02 17:53:41 08[IKE] <IPSec_to_Azure-1|120> CHILD_SA closed
    2020-12-02 17:53:41 08[APP] <IPSec_to_Azure-1|120> [SSO] (sso_invoke_once) SSO is disabled.
    2020-12-02 17:53:41 08[APP] <IPSec_to_Azure-1|120> [COP-UPDOWN] (ref_counting) ref_count: 1 to 0 -- down -- (192.168.100.0/22#10.0.0.0/24)
    2020-12-02 17:53:41 08[APP] <IPSec_to_Azure-1|120> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 1
     to 0 -- down -- (SOPHOS_EXTERNAL_IP#AZURE_PUBLIC_IP)
    2020-12-02 17:53:41 08[APP] <IPSec_to_Azure-1|120> [COP-UPDOWN] (cop_updown_invoke_once) UID: 120 Net: Lo
    cal SOPHOS_EXTERNAL_IP Remote AZURE_PUBLIC_IP Connection: IPSec_to_Azure Fullname: IPSec_to_Azure-1
    2020-12-02 17:53:41 08[APP] <IPSec_to_Azure-1|120> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' 
    Peer-IP '' my-IP '' down-client
    2020-12-02 17:53:41 08[ENC] <IPSec_to_Azure-1|120> generating INFORMATIONAL response 1220 [ D ]2020-12-02 17:53:41 08[NET] <IPSec_to_Azure-1|120> sending packet: from SOPHOS_EXTERNAL_IP[500] to 52.143.56.2
    01[500] (80 bytes)
    2020-12-02 17:53:41 30[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'IPSec_to_Azure' result --> id: '1'
    , mode: 'ntn', tunnel_type: '0', subnet_family:'0'
    2020-12-02 17:53:41 30[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown -- down --2020-12-02 17:53:42 30[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json 
    -s nosync -b '{"local_server":"SOPHOS_EXTERNAL_IP","remote_server":"AZURE_PUBLIC_IP","action":"disable","family"
    :"0","conntype":"ntn","compress":"0"}'': success 0
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown -- down --2020-12-02 17:53:42 30[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [NTN] NTN get actual...
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN][DB] (db_query) No data retrieved from query: 'SELECT ( nath.neti
    d                || '/'                  || nath.netmask ) AS natedlan FROM   tblvpnconnhostrel AS rel   
      JOIN tblhost AS h              ON h.hostid = rel.hostid          JOIN tblhost AS nath                  
    ON rel .natedhost = nath.hostid WHERE  rel.connectionid = $1       AND rel.hostlocation = 'L'      AND h.netid = $2         AND h.netmask = $3 LIMIT  1;' status: 2 rows: 0
    2020-12-02 17:53:42 30[APP]  
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [IPSEC0] using ipsec dummy interface
     'ipsec0'2020-12-02 17:53:42 30[APP] [COP-UPDOWN][NET] (get_src_ip) source address for 192.168.100.0 is IP: 192.16
    8.100.202 
    2020-12-02 17:53:42 30[APP] 
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route del 10.0.0.0/24 dev ipsec0 src 192.168.100.202 table 220': success 0
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN] (add_routes) no routes to del for IPSec_to_Azure on interface ip
    sec0
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route flush cache': success 0
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN][SHELL] (run_shell) 'ip route flush cache': success 0
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"SOPHOS_EXTERNAL_IP","peer":"AZURE_PUBLIC_IP","mynet":"192.168.100.0/22","peernet":"10.0.
    0.0/24","connop":"0","iface":"unknown","myproto":"0","myport":"0","peerproto":"0","peerport":"0","conntyp
    e":"ntn","actnet":"","compress":"0","conn_id":"1"}'': success 0
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzone=2': error returned 1
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --not-protonum=6 --inzone-outzo
    ne=5': error returned 1
    2020-12-02 17:53:42 30[APP] [COP-UPDOWN][SHELL] (run_shell) 'conntrack -D --protonum=50': error returned 
    12020-12-02 17:53:55 27[NET] <IPSec_to_Azure-1|120> received packet: from AZURE_PUBLIC_IP[500] to SOPHOS_EXTERNAL_IP[500] (80 bytes)

    Thanks and best regards

  • Hello Rene,

    Thank you for the output!

    This part of the log is when the tunnel goes down, in this we can see is Azure that tells the XG to delete the tunnel 

    received DELETE for ESP CHILD_SA with SPI 894f1cf6

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.