Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 2209 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Site to Site IPSEC Conection with Selectet Clients

Roger Domig

Hello dear Sophos Forum,

I have set up a Site-to-Site VPN connection between a NAS and 2 ESXi servers with a Sophos XGS.

Setting up the connection was no problem, but I still can't reach the ESXi servers from the NAS, even though every port is allowed.

For testing purposes, I added my PC to the mix.

As you can see, the connections are fine. (Sorry for the excessive blurring.)

But when I ping an ESXi host from my PC, I only sometimes get an answer.

Am I missing something in the settings?

Help is welcome.

Roger Domig



This thread was automatically locked due to age.
Parents
  • +1

    Hi Roger Domig

    Please verify the traffic is forwarding over ipsec vpn with Packet capture with destination IP 

    host <desintaiton IP > and proto ICMP under  MONITOR & ANALYZE | Diagnostics | Packet Capture 

    Create test firewall rule from VPN to LAN and LAN to VPN and keep the rules on TOP for troubleshoot

    From CLI run 

    console>dr 'host <destination IP> 

    console>tcpdump 'host <destination IP> 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to Bharat J

    Hello Bharat,

    After creating a firewall rule on both sides that allowed all VPN to LAN and vice versa, it worked.

    I then applied it to the automatically created firewall rule from the Site-to-Site VPN so only the clients had access through this rule.

    But could you explain why it didn't work when I had the firewall rule set from Any to Any Zone?

  • 0 in reply to Roger Domig

    Just have few queries

    May I know the current firmware version for the firewall, which firmware have you gone through till now?

    How many firewall rules and NAT rules shows 0 counters ? Are those needed?

    Turn off(for troubleshoot) the firewall rule you have created and check what you see on packet capture and dr command share what you gets ?

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    We are currently on version 19.5.1.

    On my firewall, there are 10 firewall rules and 26 NAT rules. Of those, 6 of them have a count of 0.

    The remote firewall is on version 19.5.2.

    There are 20 firewall rules and 26 NAT rules. Of those, 11 of them have a count of 0.

    Output from "tcpdump 'host <destination IP>"

    no output from "dr 'host <destination IP>"

    Packet capture output whe executing a ping:

    Its funny the VPN dos not work

    Roger Domig said:
    After creating a firewall rule on both sides that allowed all VPN to LAN and vice versa, it worked.

    It only works when i have The Packetcapture or tcpdump on otherwise the ping wont go threw.

    Still verry confused on why it behaves like this.

  • 0 in reply to Roger Domig

    Based on last update it seems Fast path / DPI creating some problem. To be more sure can you confirm are you getting consistent PING result without drop all the time with below test scenario:

    1) PING result when you disable  firewall-acceleration, 

    2) PING result when firewall-acceleration is on but tcpdump command running during PING  on XG CLI or UI.

    3) PING result with firewall-acceleration is on and IPS service off

    If all above 3 giving proper result for PING for multiple test then there is some issue with fast path and DPI and this may required further investigation with support case

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    1) Ping gos Threw succsefully

    2) Ping gos Threw succsefully

    3)Just One??

  • 0 in reply to Roger Domig

    I would suggest you check with the latest firmware 19.5 MR4 version available 

    Refer Link :  Sophos Firewall: MSS Clamping and IPsec Acceleration

     Sophos Firewall OS v19.5 MR4 is Now Available  

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    We will attempt to update the firewall to SFOS 20.0.0 GA-Build222. Hopefully, this will resolve the issue. Otherwise, hardware acceleration will be disabled because the load on the firewall is not very high.

  • 0 in reply to Roger Domig

    First update with 19.5MR4 check everything is working back as expected monitor for some time then update with v20 

    Please share the XGS model number 

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Roger Domig

    First update with 19.5MR4 check everything is working back as expected monitor for some time then update with v20 

    Please share the XGS model number 

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML