Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Veeam B&R 12 issue

Hi all,

Upgraded customers to Veeam Backup and Replication to version 12, an started seeing theese on the backup copy jobs, for the remote repositories:

03-04-2023 14:29:31 :: Processing  Error: An unknown error occurred while processing the certificate

Solved it with this

1) Created FW rule for just the backup server - duplicate to the normal LAN --> WAN rule.

(1) SSL/TLS Inspection is blocking Veeam Backup Agent - Discussions - Sophos Firewall - Sophos Community

Ran the command:

set ips ac_atp exception fwrules 31

An this command made everything work.

With Veeam B&R 11 there where no issues.

Is this a bug?



This thread was automatically locked due to age.
Parents
  • is that a copy job to a cloud archive? I'd say you don't need to ac_atp exception.
    can you post the webfiltering and IPS settings of your fw rule and also the logs showing the packets in logviewer in detailled view.

    I suspect there is something still blocked by IPS or scanned by TLS/DPI inspection you need to add the destination Domain to local TLS exclusion group.

    Did you follow that guides and build FW rules for all of that targets and ports with fw rules that allow the traffic without TLS inspection?

    https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120#wan-accelerator

  • There are no alerts - it's been wotking always.

    I have already SSL exclusions in place, and also made a IP Exception for ALL functions for the source IP.

    All that fixed was disable SSL/DPI completely , which is not a fix. Then I ran the command above and it worked. Think there is something with Veeam 12 and the new traffic. Got another Sophos customer upgraded to Veeam 12 today, the same issue occured.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • it's probably not blocked you don't need to search for blocks. Traffic is most likely just beeing scanned and decrypted by TLS DPI engine and the program does not trust your firewall decrypting CA.

    https://www.veeam.com/kb4328

Reply Children