Sophos Site to Site IPSEC Conection with Selectet Clients

Hi Roger Domig

Please verify the traffic is forwarding over ipsec vpn with Packet capture with destination IP 

host <desintaiton IP > and proto ICMP under  MONITOR & ANALYZE | Diagnostics | Packet Capture 

Create test firewall rule from VPN to LAN and LAN to VPN and keep the rules on TOP for troubleshoot

From CLI run 

console>dr 'host <destination IP> 

console>tcpdump 'host <destination IP> 

Regards

Hello Bharat,

After creating a firewall rule on both sides that allowed all VPN to LAN and vice versa, it worked.

I then applied it to the automatically created firewall rule from the Site-to-Site VPN so only the clients had access through this rule.

But could you explain why it didn't work when I had the firewall rule set from Any to Any Zone?

Just have few queries

May I know the current firmware version for the firewall, which firmware have you gone through till now?

How many firewall rules and NAT rules shows 0 counters ? Are those needed?

Turn off(for troubleshoot) the firewall rule you have created and check what you see on packet capture and dr command share what you gets ?

Regards

We are currently on version 19.5.1.

On my firewall, there are 10 firewall rules and 26 NAT rules. Of those, 6 of them have a count of 0.

The remote firewall is on version 19.5.2.

There are 20 firewall rules and 26 NAT rules. Of those, 11 of them have a count of 0.

Output from "tcpdump 'host <destination IP>"

no output from "dr 'host <destination IP>"

Packet capture output whe executing a ping:

Its funny the VPN dos not work

Roger Domig said:

After creating a firewall rule on both sides that allowed all VPN to LAN and vice versa, it worked.

It only works when i have The Packetcapture or tcpdump on otherwise the ping wont go threw.

Still verry confused on why it behaves like this.

We are currently on version 19.5.1.

On my firewall, there are 10 firewall rules and 26 NAT rules. Of those, 6 of them have a count of 0.

The remote firewall is on version 19.5.2.

There are 20 firewall rules and 26 NAT rules. Of those, 11 of them have a count of 0.

Output from "tcpdump 'host <destination IP>"

no output from "dr 'host <destination IP>"

Packet capture output whe executing a ping:

Its funny the VPN dos not work

Roger Domig said:

After creating a firewall rule on both sides that allowed all VPN to LAN and vice versa, it worked.

It only works when i have The Packetcapture or tcpdump on otherwise the ping wont go threw.

Still verry confused on why it behaves like this.

Based on last update it seems Fast path / DPI creating some problem. To be more sure can you confirm are you getting consistent PING result without drop all the time with below test scenario:

1) PING result when you disable  firewall-acceleration, 

2) PING result when firewall-acceleration is on but tcpdump command running during PING  on XG CLI or UI.

3) PING result with firewall-acceleration is on and IPS service off

If all above 3 giving proper result for PING for multiple test then there is some issue with fast path and DPI and this may required further investigation with support case

1) Ping gos Threw succsefully

2) Ping gos Threw succsefully

3)Just One??

I would suggest you check with the latest firmware 19.5 MR4 version available 

Refer Link :  Sophos Firewall: MSS Clamping and IPsec Acceleration

 Sophos Firewall OS v19.5 MR4 is Now Available  

Regards

We will attempt to update the firewall to SFOS 20.0.0 GA-Build222. Hopefully, this will resolve the issue. Otherwise, hardware acceleration will be disabled because the load on the firewall is not very high.

First update with 19.5MR4 check everything is working back as expected monitor for some time then update with v20 

Please share the XGS model number