Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

IPsec (ESP) packet dropped

MichaelUHGMichaelUHG Newbie ✭
edited December 2022 in Entry Level Firewalls

Hello

I have a part time IT role in a health company that my partner works at. They have a site to site VPN tunnel so the company that hosts their EMR (medical record) database. Everything seemed to work fine up until about two weeks ago (at least there was no complaints until then).

In an effort to figure out the problem they have reached out to the database hosting company and they checked the client logs on the workstations and I was told it looks like the software is losing connection to the database. They are saying it's LAN side.

The VPN tunnel is connected (I have no set this up, it was already setup from the previous IT person) as it has the green circle and the traffic does seem to flow, until the software complains about losing connection to its server.

In an attempt to try to troubleshoot I looked at the logs and one that happens constantly is:

21:27:44 Dec 27 533 VPN Notice IPsec (ESP) packet dropped xxx.xxx.xxx.xxx, X3 xxx.xxx.xxx.xxx, X3 esp err1: policy not found for packet on Zones(WAN -> WAN)

The first xxx.xxx.xxx.xxx is the Remote database IP, the second is one of our internet connections (we have two configured in a failover). Both the remote IP and both our WAN connections are static IPs.

I am not sure if this is part of the cause of the issue we are having and I figured maybe I should start here, but whatever I try I cannot resolve this error.

The sonicwall is a hub to two other site to site VPNs for two other locations. Previously they were using netextender on each workstation at each location for the connection (3-5 workstations at each location) until I setup a site to site with additional sonic walls. One location seems to have no issues as I haven't had any complaints, the other has constant issues that I am trying to resolve as well which may or may not be part of the above issue. I did remove remnants of McAfee firewall so I'm hoping that helps, they are only open one day a week so I will have to wait for that one to see if anything has improved. Everything seems to work ok when I do some tests.

I am at the end of my ideas as to what the issue is.


I forgot to add the Main Sonicwall is a "TZ 600" with firmware "SonicOS Enhanced 6.5.4.9-93n"

Category: Entry Level Firewalls
Reply

Answers

  • I forgot to add the Main Sonicwall is a "TZ 600" with firmware "SonicOS Enhanced 6.5.4.9-93n"

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    These types of practices are annoying... One day a week, must be nice...

    What have you tried so we don't duplicate ideas? Clearly you're not running the latest firmware.

  • MichaelUHGMichaelUHG Newbie ✭
    edited December 2022

    I have two issues, one at the main clinic and the remote clinic I will refer to as the pain clinic.

    I am trying to resolve the issue at the main clinic which has the direct site to site VPN connection to the database (telushealth). The pain issue is secondary to this.

    I figure maybe I should see if this "IPsec (ESP) packet dropped" could be a contributing factor to the connection issue the software is having.

    The only thing that I have really tried is to create a rule from WAN>WAN with the following settings (because thats what the error mentioned: policy not found for packet on Zones(WAN -> WAN)):

    Action: Allow

    From : WAN

    To: WAN

    Source Port: ESP (IPSec)

    Service: ESP (IPSec)

    Source: Any

    Destination: WAN Interface IP


    and one of the reversed


    Action: Allow

    From : WAN

    To: WAN

    Source Port: ESP (IPSec)

    Service: ESP (IPSec)

    Source: WAN Interface IP

    Destination: Any


    But I also have an existing rule of

    Action: Allow

    From : WAN

    To: WAN

    Source Port: Any

    Service: Any

    Source: Any

    Destination: Any


    so shouldn't that cover the issue?

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    "Policy not found" is not referring to ACL, it's referring to an IPsec policy, ie, a configured VPN tunnel.

    Have you got both of the public IPs configured on the tunnel at the other end? From your description, I wonder if perhaps sometimes the IPsec traffic is coming from the backup WAN interface, for whatever reason.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    The other thing to check is if the VPN tunnel is assigned to a specific WAN interface, or the WAN zone. VPN Settings \ Advanced tab.

  • I had it set to Zone WAN because I thought thats how failover is suppose to be configured.

    I did set it to the primary interface (X1) and so far the above error seems to have stopped. I also don't get a INVALID_COOKIE message anymore either.

    It's been this way for some time and only within the last few months has there been problems.

    I'm on location now trying to monitor it.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Zone WAN is the default and is appropriate when using more than one ISP. @Arkwright 's question is still valid: "Have you got both of the public IPs configured on the tunnel at the other end?"

    E.g. on the VPN Settings \ General tab you can enter a secondary gateway address(which would be the second ISP address of the Sonicwall the tunnel is attempting to connect to).

  • I believe so, unfortunately the other side isn't managed by us. But the tunnel does connect when I specify the backup ISP's interface.

    From what it looks like when I have Zone WAN set and both ISPs are connected this is when Im getting the ESP error. I haven't noticed the error all day since specifying the specific interface and it I was told there hasn't been any issues today.

    Maybe the failover isn't correctly configured, although I did follow the sonicwall guide.

    I will continue to monitor it and let you guys know how I make out.


    Thank you for your help, I greatly appreciate it :)

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    It doesn't sound like a configuration issue on your side, but on the side you don't manage. Getting on a call with the other IT team to review all VPN settings might reveal the problem.

    Have a form for VPN tunnel configurations. If someone says 'it's configured correctly' and you point them to the form to review, you'll both know the correct configuration (and have it documented).

  • Just wanted to leave an update. Even since I've forced the VPN tunnel through a specific interface (instead of Zone WAN) everything has been fine. It do see what I can assume are connection attempts for the other Internet connection.

    "IKE Responder: Received Main Mode Request (Phase 1)" followed by "IKE Responder drop: VPN tunnel end point does not match configured VPN Policy Bound to scope"

    So I'm thinking the other side is trying to initiate a connection on both ISPs and our sonicwall is either confused or dropping the one connection for the other.

    Unfortunately trying to contact their IT team is almost next to impossible, since we don't lease their router all they really send us is the tunnel configuration values.

    It's just weird there wasn't any issues until recently. They must've changed something on their end.


    I want to thank everyone for their help :)

  • compunext_rogeriocompunext_rogerio Newbie ✭
    edited January 2023

    Do you have a detailed description on how are these VPN tunnels configured?

    To help you more effectively, I'll need to know:

    1. VPN Tunnel Type (Site to Site or Tunnel Interface)
    2. If you are using one or more ISPs
    3. How did you deploy your routing infrastructure
Sign In or Register to comment.