This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG86 Random Issue on SSL Site to Site VPN after upgrade to 19

I have a Site to Site (XG is server) and before upgrade all work for year.

After upgrade randomly (i think this happen on night for some sevice restart maybe?) the firewall not use the Tunnel to Route the traffic

The VPN is working from the other site to this, only this to other stop working.

On log page you can see this (192.168.1.x is the remote network)

After editing config and saving (i think this reconnect vpn) al start working again

What i can do?? Only wait a fix? Is rather annoying almost every day i have to fix this

Thanks



This thread was automatically locked due to age.
Parents
  • Hello Lorena,

    Thank you for contacting the Sophos Community.

    So after editing and saving the config, the issue got resolved?, however, the issue re-appears after a while. Is this what you mean?

    If so, I would recommend you have a specific working computer with a static IP, that can access the same destination IP, and when the issue starts happening again, test using the same computer and same destination IP (as in the working scenario).

    Once the issue is happening again, do a GUI Packet Capture to confirm which Firewall Rule is the computer using.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello Lorena,

    Thank you for contacting the Sophos Community.

    So after editing and saving the config, the issue got resolved?, however, the issue re-appears after a while. Is this what you mean?

    If so, I would recommend you have a specific working computer with a static IP, that can access the same destination IP, and when the issue starts happening again, test using the same computer and same destination IP (as in the working scenario).

    Once the issue is happening again, do a GUI Packet Capture to confirm which Firewall Rule is the computer using.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
  • So after editing and saving the config, the issue got resolved?, however, the issue re-appears after a while. Is this what you mean?

    Yes exactly. Today not happening so is not daily basis... But after update happened already 3 times

    You can already see on my screen wich rules.. And is changing before and after the problem...

    Did you mean PCAP capure?

    This the working one:

  • Here we are when dont work

    Disconnect from the other end work for little time (15/30 minutes)

    Editing and saving config seems work for a long time

  • Hello Lorena,

    Thank you for the update.

    I would recommend you get a case created with Support for tracking the issue.

    Next\ time this happens, can you do a drop-packet-capture on the CLI of the Sophos Firewall?

    https://support.sophos.com/support/s/article/KB-000036858?language=en_US

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • drop-packet-capture no packet dropped. Tried drop-packet-capture 'dst host 192.168.1.1', drop-packet-capture 'src host 192.3.3.150' and drop-packet-capture 'net 19.168.1'... With drop-packet-capture 'net 192.3.3' i can see logs for other traffic


    I can confirm the problem is the route
    When work:

    XG86_AM01_SFOS 19.0.1 MR-1-Build365# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.0.50.0 * 255.255.255.0 U 0 0 0 Port1.20
    10.81.234.0 * 255.255.255.0 U 0 0 0 tun0
    10.255.0.0 * 255.255.255.0 U 0 0 0 GuestAP
    81.174.0.21 * 255.255.255.255 UH 0 0 0 Port2_ppp
    192.3.3.0 * 255.255.255.0 U 0 0 0 Port1
    192.168.1.0 10.81.234.1 255.255.255.0 UG 0 0 0 tun0
    192.168.33.0 * 255.255.255.0 U 0 0 0 Port1.10
    192.168.120.0 * 255.255.255.0 U 0 0 0 Port1.40
    192.168.150.0 * 255.255.255.0 U 0 0 0 Port1.30
    192.168.178.0 * 255.255.255.0 U 0 0 0 Port3


    When not work:
    XG86_AM01_SFOS 19.0.1 MR-1-Build365# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.0.50.0 * 255.255.255.0 U 0 0 0 Port1.20
    10.81.234.0 * 255.255.255.0 U 0 0 0 tun0
    10.255.0.0 * 255.255.255.0 U 0 0 0 GuestAP
    81.174.0.21 * 255.255.255.255 UH 0 0 0 Port2_ppp
    192.3.3.0 * 255.255.255.0 U 0 0 0 Port1
    192.168.33.0 * 255.255.255.0 U 0 0 0 Port1.10
    192.168.120.0 * 255.255.255.0 U 0 0 0 Port1.40
    192.168.150.0 * 255.255.255.0 U 0 0 0 Port1.30
    192.168.178.0 * 255.255.255.0 U 0 0 0 Port3


    The 192.168.1.1 route is missing

    As i said traffic from the other side work just fine...so the tunnel is connected
    Disconnect from the other side... work for a little time (less than 10min)
    Only edit and save configuration work for a long time (sometime even 3/4 days.. Maybe is do to less or no traffic from the other side tha trigger the fault. I can't understand why reconnect from the other side work for a little time do)

  • This looks similar to an issue which has been fixed in later versions.

  • You have other info on this fixed issue?

  • It was fixed as part of Jira id NC-98574. The fix will be available in 19.5 EAP1 release onwards and upcoming 19.0 MR2 release.

  • This means the fix is already included in the v19.5 GA release which is available now.