Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Site to site no ping on one way


I've depolyed a site-to-site SSL VPN between two XGS (HO Server and BO Client)

HO network is and BO network is
I'm able to ping from BO to HO but not the opposite.

Tha packet capture says IP_Spoof - Violation and the routes are the following.

I'm missing something and I would apreciate if someone could give me an advice.


This thread was automatically locked due to age.
  • Hello there,

    Thank you for contacting the Sophos Community.

    Can you share a screenshot of your DoS & Spoof protection (Protect > Intrusion Prevention > DoS & Spoof Protection)?

    And any reason you are using a SSL tunnel instead of an IPsec?


    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi,

    I'm using SSL VPN to be ready future implementation of ACLs for every single user.

  • Hi  : Based on the "route -n" output on XGS87w I can see is reflecting twice via tun0 and tun21. This means XGS87w which is acting as in SSL VPN client (for SSL site to site) has reachability to the same network via 2 tunnel interfaces. Due to that probably in traffic and out traffic is marking via different tunnel interfaces and traffic is getting marked as in "IP_Spoof".

    This can only happen if both the XGS which are part of the SSL site-to-site tunnel has the same "Assign IPv4 addresses" network settings inside the SSL VPN settings.

    i.e. XGS87w has assigned an IP pool from network via tun0.

    And while you make this XGs87w as in SSL VPN client by adding an SSL VPN Server file ( file of XGS107w) it has added the same network route via tun21 as XGS107w has the same network in SSL VPN Assigned IP pool settings.

    So changing the network to any one XGS end ( more preferable would be where no users are using Sophos SSL VPN remote access or fewer users using Sohps SSL VPN remote access) will avoid duplication in tun network settings and will fix the issue. 


    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.