Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to connect a OpenVPN Connection to third party server

Hi Guys, 

we have a network running with multiple sites. All the Sites are connected via IKEv2 Tunnel to our Sophos XG330 (via Lancom Routers).

In each site we have a device running which is trying to connect (via OpenVPN Tunnel) (UPD Port 1194)  to a third party server (external IP Adress).

But for some reason the connection wont work. If only one device is connected, tunnel is running fine. As soon as i am connecting a second device, traffic is not working. It seems to be connected for a few minutes sometimes, but then its gone again.

I have checked all my rules on XG. If I'm running the policy tester, everything is fine.

I already checked with Sophos Support, but that did not help a lot. 

Their conclusion from logs was: 

Our XG is recieving Answer Packages from the Third Party Server, our XG never sent out (Packets with unknown ports) -> so the packets get dropped.



This thread was automatically locked due to age.
Parents
  • Example: 

    WAN IP XG: 22.33.44.55

    Third party Server IP: 199.199.199.199

    Internal Network Device: 10.5.5.100



    15:15:44.149254 xfrm88, IN: In ethertype IPv4 (0x0800), length 186: 10.5.5.100.1194 > 199.199.199.199.1194: UDP, length 142

    15:15:44.149256 Port2, OUT: Out c8:4f:86:fc:00:05 ethertype IPv4 (0x0800), length 186: 22.33.44.55.22010 > 199.199.199.199 1194: UDP, length 142

    15:15:44.153991 Port2, IN: In 2c:23:3a:8a:c2:20 ethertype IPv4 (0x0800), length 94: 199.199.199.199.1194 > 22.33.44.55.22010: UDP, length 50

    15:15:44.154005 xfrm88, OUT: Out ethertype IPv4 (0x0800), length 94: 199.199.199.199.1194 > 10.5.5.100.1194: UDP, length 50

    Port2, IN: In 2c:2xxxxxx:20 ethertype IPv4 (0x0800), length 97: 199.199.199.199.1194 >  22.33.44.55 . 24834: UDP, length 53

    Port2, IN: In 2c:xxxxxxx:20 ethertype IPv4 (0x0800), length 97: 199.199.199.199.1194 >  22.33.44.55 .24834: UDP, length 53

    So that means: XG recieves answers with random ports ans drops them 

Reply
  • Example: 

    WAN IP XG: 22.33.44.55

    Third party Server IP: 199.199.199.199

    Internal Network Device: 10.5.5.100



    15:15:44.149254 xfrm88, IN: In ethertype IPv4 (0x0800), length 186: 10.5.5.100.1194 > 199.199.199.199.1194: UDP, length 142

    15:15:44.149256 Port2, OUT: Out c8:4f:86:fc:00:05 ethertype IPv4 (0x0800), length 186: 22.33.44.55.22010 > 199.199.199.199 1194: UDP, length 142

    15:15:44.153991 Port2, IN: In 2c:23:3a:8a:c2:20 ethertype IPv4 (0x0800), length 94: 199.199.199.199.1194 > 22.33.44.55.22010: UDP, length 50

    15:15:44.154005 xfrm88, OUT: Out ethertype IPv4 (0x0800), length 94: 199.199.199.199.1194 > 10.5.5.100.1194: UDP, length 50

    Port2, IN: In 2c:2xxxxxx:20 ethertype IPv4 (0x0800), length 97: 199.199.199.199.1194 >  22.33.44.55 . 24834: UDP, length 53

    Port2, IN: In 2c:xxxxxxx:20 ethertype IPv4 (0x0800), length 97: 199.199.199.199.1194 >  22.33.44.55 .24834: UDP, length 53

    So that means: XG recieves answers with random ports ans drops them 

Children
No Data