I have a Site to Site (XG is server) and before upgrade all work for year.
After upgrade randomly (i think this happen on night for some sevice restart maybe?) the firewall not use the Tunnel to Route the traffic
The VPN is working from the other site to this, only this to other stop working.
On log page you can see this (192.168.1.x is the remote network)
After editing config and saving (i think this reconnect vpn) al start working again
What i can do?? Only wait a fix? Is rather annoying almost every day i have to fix this
Thanks
What's the exact version of SFOS you are using? Can you send a screenshot?
What is at the other end of the tunnel?
Mit freundlichem Gruß, best regards from Germany,
Philipp Rusch
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Latest relase: SFOS 19.0.1 MR-1-Build365The other end is an ASUS router: RT-AC51UOn this firewall we have an IPSEC site to site, varius client SSL VPN.. al of this work without problemAlready fixed the range for the new setting of the ssl vpn on v19Another note: the VPN is working from the other site to this, only this to other stop working
Could you share the ipsec config screen shot and the sdwan routing config screen shot ? We will take a look at this issue and update on this soon.
As the subject is the SSL VPN not working... IPSEC work normal. No config is changed after upgrade. The problem started immediately after update.. Editing and saving SSL Site to Site config re-enabled the normal behaviour for some time
On SDWAN routing i have only a config for the Wifi to use one GW instead of the other
But here:
Dont share SSL vpn config screenshot because there no particular setting on the gui only lan names
Here obfuscated config file for ssl svpn
{"server_address":["88.x.x.x","192.168.178.250","192.3.3.250"],"authentication_algorithm":"SHA256","password":"****","key":"-----BEGIN RSA PRIVATE KEY-----***\n-----END RSA PRIVATE KEY-----","server_dn":"C=IT, ST=NA, L=Capriolo, O=***, OU=OU, CN=***, emailAddress=***","server_port":"8443","username":"****","encryption_algorithm":"AES-128-CBC","protocol":"udp","compression":"1","ca_cert":"-----BEGIN CERTIFICATE-----\n{"server_address":["88.x.x.x","192.168.178.250","192.3.3.250"],"authentication_algorithm":"SHA256","password":"***","key":"-----BEGIN RSA PRIVATE KEY-----\n***\n-----END RSA PRIVATE KEY-----","server_dn":"C=IT, ST=NA, L=Capriolo, O=***, OU=OU, CN=***, emailAddress=***","server_port":"8443","username":"***","encryption_algorithm":"AES-128-CBC","protocol":"udp","compression":"1","ca_cert":"-----BEGIN CERTIFICATE-----\n***\n-----END CERTIFICATE-----","certificate":"-----BEGIN CERTIFICATE-----\n***\n-----END CERTIFICATE-----"}
In non-working case, can you check if route for the remote network is installed on the XGS (through the route command on the shell) ?
Hello Lorena,
Thank you for contacting the Sophos Community.
So after editing and saving the config, the issue got resolved?, however, the issue re-appears after a while. Is this what you mean?
If so, I would recommend you have a specific working computer with a static IP, that can access the same destination IP, and when the issue starts happening again, test using the same computer and same destination IP (as in the working scenario).
Once the issue is happening again, do a GUI Packet Capture to confirm which Firewall Rule is the computer using.
Regards,
emmosophos said:So after editing and saving the config, the issue got resolved?, however, the issue re-appears after a while. Is this what you mean?
Yes exactly. Today not happening so is not daily basis... But after update happened already 3 timesYou can already see on my screen wich rules.. And is changing before and after the problem...
Did you mean PCAP capure?
This the working one:
Here we are when dont work
Disconnect from the other end work for little time (15/30 minutes)
Editing and saving config seems work for a long time
Thank you for the update.
I would recommend you get a case created with Support for tracking the issue.
Next\ time this happens, can you do a drop-packet-capture on the CLI of the Sophos Firewall?
https://support.sophos.com/support/s/article/KB-000036858?language=en_US
drop-packet-capture no packet dropped. Tried drop-packet-capture 'dst host 192.168.1.1', drop-packet-capture 'src host 192.3.3.150' and drop-packet-capture 'net 19.168.1'... With drop-packet-capture 'net 192.3.3' i can see logs for other traffic
I can confirm the problem is the routeWhen work:
XG86_AM01_SFOS 19.0.1 MR-1-Build365# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.50.0 * 255.255.255.0 U 0 0 0 Port1.20 10.81.234.0 * 255.255.255.0 U 0 0 0 tun0 10.255.0.0 * 255.255.255.0 U 0 0 0 GuestAP 81.174.0.21 * 255.255.255.255 UH 0 0 0 Port2_ppp 192.3.3.0 * 255.255.255.0 U 0 0 0 Port1 192.168.1.0 10.81.234.1 255.255.255.0 UG 0 0 0 tun0 192.168.33.0 * 255.255.255.0 U 0 0 0 Port1.10 192.168.120.0 * 255.255.255.0 U 0 0 0 Port1.40 192.168.150.0 * 255.255.255.0 U 0 0 0 Port1.30 192.168.178.0 * 255.255.255.0 U 0 0 0 Port3
XG86_AM01_SFOS 19.0.1 MR-1-Build365# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.50.0 * 255.255.255.0 U 0 0 0 Port1.20 10.81.234.0 * 255.255.255.0 U 0 0 0 tun0 10.255.0.0 * 255.255.255.0 U 0 0 0 GuestAP 81.174.0.21 * 255.255.255.255 UH 0 0 0 Port2_ppp 192.3.3.0 * 255.255.255.0 U 0 0 0 Port1 192.168.33.0 * 255.255.255.0 U 0 0 0 Port1.10 192.168.120.0 * 255.255.255.0 U 0 0 0 Port1.40 192.168.150.0 * 255.255.255.0 U 0 0 0 Port1.30 192.168.178.0 * 255.255.255.0 U 0 0 0 Port3
As i said traffic from the other side work just fine...so the tunnel is connectedDisconnect from the other side... work for a little time (less than 10min)Only edit and save configuration work for a long time (sometime even 3/4 days.. Maybe is do to less or no traffic from the other side tha trigger the fault. I can't understand why reconnect from the other side work for a little time do)