Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 1821 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Azure VPN traffic denied after migrating to v18

JamesXG

Prior to migrating to v18, I had a fully functioning IPSEC S2S VPN to Azure. After migrating, whilst some traffic works, most traffic inbound from Azure is dropped by the firewall, causing some services to fail. Message in log is invalid TCP state. Outbound traffic to Azure is flowing. In below image, src ip is an Azure server and dst IP is the Sophos IP. 

Any advice, please?



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Could you please share drop packet capture? Please use the article to capture drop packets and share the logs - https://community.sophos.com/kb/en-us/127111

    Please also verify Firewall Rule and NAT rule for VPN to LAN and LAN to VPN communication

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Hi  

    Thanks for the reply. Getting a different error now, however is an example of the dropped packet capture

    2020-02-25 15:12:41 010202130 IP 10.100.0.4.49679 > 192.168.9.251.25610 : proto TCP: R 1453707849:1453707849(0) checksum : 41137
    0x0000: 4500 0028 7ae6 4000 8006 aade 0a64 0004 E..(z.@......d..
    0x0010: c0a8 09fb c20f 640a 56a5 d249 e718 03f2 ......d.V..I....
    0x0020: 5014 0000 a0b1 0000 P.......
    Date=2020-02-25 Time=15:12:41 log_id=010202130 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=0 outzone_id=0 source_mac= dest_mac= bridge_name= l3_protocol=IPv4 source_ip=10.100.0.4 dest_ip=192.168.9.251 l4_protocol=TCP source_port=49679 dest_port=25610 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0

    Firewall rule was migrated automatically (working previously). But I have since tried making a linked Nat rule also, to no avail. What is odd is that some traffic does work, like UNC,ping,  printing and other traffic not. 

  • 0 in reply to JamesXG

    Hi  

    The provided drop packet is for RESET TCP packet but the firewall rule ID is showing is NA, I would recommend opening the support case to investigate the issue further, it requires to verify the configuration and packet captures to resolve the issue. Please PM us the service request number.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • +1 in reply to Keyur

    Would recommend to change to VTI for Azure.

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

     thanks for the tip. Have switched and definitely way better! Solved all problems. 

Reply Children
No Data
Unfiltered HTML