Sophos Connect blocks SNMP

I have created the very first rule "allow all to 10.0.101.0/24 subnet":

Summary
sc
Allow
Rule
Accept any service going to "VPN" zone, when in any zone, and coming from any network, then apply log connections

Source & schedule
Any
Source networks and devices : Any
During scheduled time : All the time

Destination & services
VPN
Destination networks : VLAN 101 ssl vpn
Services : Any

Advanced
Synchronized security
Source : Minimum heartbeat is No restriction, Clients with no heartbeat allowed
Destination : Minimum heartbeat is No restriction, Request to destination with no heartbeat allowed

Masquerading is OFF

1. This is a packet capture screen with ICMP test from machine 10.77.77.8 behind the router to remote host 10.0.101.200:

First packet:

Second packet:

2. Another test - ping address 10.0.101.200 directly from the router:

First packet:

Second packet:

Maybe a more interesting test will be the other way around, from the remote host 10.0.101.200 to devices in the LAN behind the router.

Hello Michal,

I setup a VPN tunnel from my Sophos Connect Client to XG. I start a PING from my Sophos Connect Client (Virtual IP: 10.0.3.77) to a LAN host 10.1.1.11. I setup a packet capture with a host 10.0.3.77

You should see 4 packets as you seen in my capture. Incoming IPsec packet from 10.0.3.77 to 10.1.1.11. This packet is now forwarded on Port A to destination host 10.1.1.11. The host response is received on Port A, which is then forwarded to 10.0.3.77 on the VPN tunnel.

In your capture I only see the received packet from the IPsec tunnel that is forwarded out. There is nothing coming back. So please check the default route on the host to make sure the packet is correctly forwarded back to the XG firewall.

Please let me know.

Ramesh

Hi Ramesh,

I do not know what else to show, all information is on already available print screens. It is clear to me that in my case the packets sent to the remote host have status "Unreplied", while your packets are sent and correctly returned. This is probably because your Sophos Connect client sets the correct gateway - and my client does not.

The firewall on our router does not block any packets sent / received to/from the remote host. I apologize to you very much, but this discussion leads nowhere.

Do you have any suggestion why my Sophos Connect client gives the gateway an APIPA address for packets returning from the host? Do you know how I can check the settings (or logs) of the Sophos Connect server in the files saved on the router? Thank you.

Hey MichalKawecki 

Thanks for your continued patience and participation during your troubleshooting with rmk_2018 

I'd like to continue this investigation and troubleshooting with you. I'll reach out to you further via PM.

Regards,

This problem is now resolved. The problem was because the DHCP Range assigned to Sophos Connect and SSL VPN was in the same segment. Once that was separated out Sophos Connect worked as expected. 

The problem has been solved, for which I thank you very much. Nevertheless, I have a suggestion to enter a visual warning or even blocking the setting of the same network in Sophos Connect as in SSL VPN in the router settings.

Thank you again and have a nice day.

Hi Ramesh,

I have one more question. The router continues to allocate a non-routable gateway 169.254.128.128 to the remote host. Is this correct behavior of the Sophos Connect server?

IPv4 Route Table
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.100 281
10.0.0.0 255.0.0.0 169.254.128.128 10.0.102.200 45
10.0.102.200 255.255.255.255 On-link 10.0.102.200 291
52.5.76.173 255.255.255.255 169.254.128.128 10.0.102.200 45

Hello Michal,

Yes that is correct. 

Ramesh

Thanks.