Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Can’t route self-generated packets

Hello, I work on 2 Sophos XG on 2 different sites. They communicate with each other using a Site-to-Site IPSec VPN.

  • Site A : Sophos-XGS 33100 (SFOS 19.5.3)
  • Site B : Sophos-XG 330 (SFOS 19.5.3)

3 subnets of Sophos A are configured to be able to communicate through the VPN.

  • Network A : Management
  • Network B : Backup
  • Network C

Each subnet has a dedicated VLAN and a virtual interface used as a gateway.

The auto-generated packets by the Sophos of site A destined for site B are automatically sent through the gateway of Network B (Backup). I am trying to know how to select the interface on which the packets auto-generated by the Sophos of the site A will be sent to the site B.

Original need

I wanted to connect the Sophos firewall on site A to an LDAP server located on site B. So I added the connection information to my LDAP server in "Authentication > Servers". When I did a connection test, the “Packet capture” diagnostics tool displayed the IP of the gateway of network B “Backup” as the source IP of the dedicated auto-generated packets.

However, I wanted the IP to be the one of the management networks (or another dedicated to it). I couldn't find any settings on the "AD server" part.

Temporary solution

I realized that the choice of gateway used for sending auto-generated packets is not random. This is actually the gateway for the first subnet allowed in my site-to-site VPN configuration. By changing the name of my network A “Management”, the placing in alphabetical order moves it to the first position.

After applying the changes, the source IP of my packets was indeed the one of my management network.

It works well but I don't find it very clean and intuitive. In addition, my networks and their names may change in the future.

Desired solution

I want to be able to clearly define which gateway to use. I studied a few options such as configuring an IPSec route, but I'm not sure that it’s what I need...

Would anyone be able to answer my needs or give me a lead please?


Added V19.5 MR3 TAG
[edited by: Erick Jan at 7:59 AM (GMT -8) on 26 Feb 2024]
Parents Reply
  • Hi   Assuming - It may be possible due to the existing connection not being flush which was present on the appliance, Traffic used the same connection and SNAT IP as in the management interface network IP that you want in your use case, Probably after a while when the existing connection flushed due to no traffic and new traffic will come again and XG will do route lookup or connection establishment at that time you may encounter an issue again. So as guided in the above KBA and Help section it is better to keep the SNAT and IPSec route for the destination host in a policy-based VPN scenario for appliance (device) generated traffic as per your current requirements.


    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.