Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP Relay over Routing-Based IPsec in SFOS 18.0.1 not working

On an XG 135 with SFOS 18.0.1 the DHCP relay over a Routing-Based IPsec tunnel is not working.

System traffic over the IPsec is working. Firewall authentication on the Active Directory servers behind the same IPsec tunnel is working.
Those same Active Directory servers are also the DHCP servers.

DHCP packets are received by the LAN port (can be seen both on the packet catpure and the TCPDUMP) but the traffic is not routed through the IPsec tunnel.
Packet capture reports "ACL 

Firewall rule allowing any/any to DHCP servers is in place.

DHCP service of the firewall is working and firewall is providing DHCP addresses.



This thread was automatically locked due to age.
Parents
  • DHCP Relay should not need a Firewall rule. 

    I remember, that DHCP Relay is not supported for VTI, but i am not 100% sure. Read something about this. 

    Do you have multiple DHCP Relays configured on this Appliance? If you delete all except one, is it working? 

    Did you tick the option "relay on IPsec"? Please disable this option and try again. 

    __________________________________________________________________________________________________________________

Reply
  • DHCP Relay should not need a Firewall rule. 

    I remember, that DHCP Relay is not supported for VTI, but i am not 100% sure. Read something about this. 

    Do you have multiple DHCP Relays configured on this Appliance? If you delete all except one, is it working? 

    Did you tick the option "relay on IPsec"? Please disable this option and try again. 

    __________________________________________________________________________________________________________________

Children
  • I have only one DHCP relay and I have tried both with activated "relay over IPsec" and without.

    If DHCP relay is not supported over routing-based IPsec that would be a major deficiency.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • Depends on the setup. 

    You could easily switch to RED Site to Site and use this setup for DHCP Relay until this is supported. 

    Another question would be, which routing do you use, PBR or static? 

    __________________________________________________________________________________________________________________

  • Static. Works much more reliably than SD-WAN.
    Especially if there is only one line and one IPsec and only a handful of networks.
    RED works with SSL VPN not IPsec.
    The routing-based VPN is far too efficient in that any change in routings do not need a restart of the VPN, while both policy-based IPsec and RED need a restart after any change.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • RED should interact like VTI from this perspective. As you do not have any routing information at all. You have a VTI (RED) and thats it. Routing will be take place in the routing stack, so no restart should be needed to propagate new networks etc. 

    Policy based is correct, thats the old fashion way (Remote / Local network). 

    It depends on the performance and the bandwidth of both appliances. Most likely you cannot hit the hardware limitation with a RED tunnel. 

    To get back to this issue. XG has a Flood prevention for DHCP Relay to avoid problems with "too many relays". It will try to reach the DHCP Server several times, if no reply comes back, it stops and drop the DHCP requests for this DHCP server. 

    So the question is, do you see any DHCP Relay requests on the VTI outbound? if you use the tcpdump on the xfrm interface? 

    Do you see any traffic on the other End? 

    __________________________________________________________________________________________________________________

  • Both with TCPDUMP and Packet Capture I can see only the incoming packets on port 68 UDP on the LAN port. No outgoing traffic. The packets are blocked by the firewall witn an "ACL exeption"

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • Does your setup work with a RED Interface or not? Same configuration only switching the XFRM with a RED Interface? 

    __________________________________________________________________________________________________________________

  • Cannot so easily test as the device is now productive. Have for the moment used a local DHCP server.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner