This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN alerts every hour

Hi

I am running a number of XGs on v18 latest revision, and they are all reporting VPN down every hour around the time the IKEv2 re-key occurs. The VPNs are all working as expected.

This alert is then pushed in to Central and also sent out to all email recipients.

I can see some previous posts that this was supressed in V17 and has now re-appeared in V18.

Is there anyway to resolve this?  There doesnt seem to be a way to switch this alert off anywhere and its creating a lot of white noise, and so we potentially miss actual alerts that need investigating.

Any ideas much appreciated as support just said "cant be disabled" which isnt a great.

Thanks

Dan



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    The peer firewall might be deleting the Child SA and then sending the delete SA to the XG and triggering the email notifications. 

    You could try to have a lesser rekey timer value for both phase 1 and phase 2 than the peer firewall. This will ensure XG always does rekey first, and that won't trigger the email notification. 

    Thanks,

  • Hi 

    I have two Sophos XGs that run this VPN setup and they both throw out the alerts every hour. The VPN is IKEv2 using the built in template policies. I could change the re-key times but would one end not still alert?  Ideally we just need to be able to disable this alert somewhere on the device and in central.

    thx

    Dan

  • FormerMember
    0 FormerMember in reply to Dan Williams

    Hi ,

    Unfortunately, there's no option to turn off the notification generated during SA re-key. This setting is global, and if you turn it off, there won't be any notification in a real tunnel down situation. 

    Try to clone the policy and configure lessor re-key time for both Phase1 and Phase2 on the firewall that is initiating the connection and let us know if that helps.

    Thanks,