Azure Sophos appliance site-to-site issue

Question

Hi All, 
 I have a Sophos XG deployed in Azure and an on-prem Sophos XG firewall. I have built an IP sec tunnel which is established between the 2 devices however I can only get traffic to pass one way. Azure >>> on-prem. I cannot get any traffic passing from on-prem to Azure. 
 When running a packet capture I can see traffic from on-prem is being accepted by the op-prem firewall and directed over the VPN tunnel, but I cannot see traffic on the Azure Sophos via a packet capture. Unsure if it is a NAT issue at the point or a routing issue in Azure. 
 Any advice welcome :)

Keyur · Accepted Answer

Hi notapplemaxwindows1 
 As per my understanding from the given information, you have deployed Sophos XG firewall instance on the Azure platform and create an IPsec tunnel between Azure Sophos XG and On Prim Xg firewall appliance. 
 Could you please check tcpdump from SSH console for proto 50? Login to SSH console of On-prem XG and access device console and execute tcpdump 'proto 50 and check when you initiate the traffic from On-prem XG side what is the status of ESP packets going out to have any response from Azure side or not. 
 Please verify the VPN to LAN and LAN to VPN firewall rule in both the firewall set to allow required traffic.

notapplemaxwindows1 · Answer

Thank you Keyur, I responded to your reddit post. For the sake of others: 
 
 I figured 2 parts of my problem. 
 Firstly I created an IPsec route on my on-prem application to go over the tunnel I made, I could then see traffic on my Azure appliance in packet capture and notices it was being NAT'd on return to my Azure public IP. I have NAT enabled on the Azure appliance to the Azure public IP, which when disabled, Resolved my issue.