SNAT over ipsec not working XGS2100

Akshay Hegde 3 months ago

I am referring this post with similar issue

DNS request to DNS over Site2Site VPN

I have below setup

XG310 -- branch office

XG430 -HA -- Head office

Now I got

XGS2100 - 2nd branch office ( Gateway local ip: 172.16.1.100 )

XGS2100 - 3rd branch office

with XG310 I can reach Head office Active Directory with SNAT, but with XGS2100 I can't reach strange issue, but from Head office I can reach XGS2100

( was implemented based on article : https://support.sophos.com/support/s/article/KB-000035830?language=en_US ) 2 years before on XG310, same in XGS2100 not working )

console> show advanced-firewall
Strict Policy : on
FtpBounce Prevention : control
Tcp Conn. Establishment Idle Timeout : 10800
UDP Timeout : 30
UDP Timeout Stream : 60
Fragmented Traffic Policy : allow
Midstream Connection Pickup : off
TCP Seq Checking : on
TCP Window Scaling : on
TCP Appropriate Byte Count : off
TCP Selective Acknowledgements : on
TCP Forward RTO-Recovery[F-RTO] : off
TCP TIMESTAMPS : off
Strict ICMP Tracking : off
ICMP Error Message : allow
Caching for route lookups : on
IPv6 Unknown Extension Header : deny
IPv6 Ready Logo Compliance : off
WAN access control for web admin console : on


Bypass Stateful Firewall
------------------------
Source Genmask Destination Genmask


NAT policy for system originated traffic
---------------------
Destination Network Destination Netmask Interface SNAT IP
192.168.1.33 255.255.255.255 172.16.1.100
192.168.1.66 255.255.255.255 172.16.1.100
192.168.1.77 255.255.255.255 172.16.1.100


### from branch office 2nd

Sophos Firmware Version: SFOS 20.0.0 GA-Build222
Model: XGS2100
Hostname: removed

console> ping 192.168.1.33
PING 192.168.1.33 (192.168.1.33): 56 data bytes
ping: sendto: Operation not permitted
console>

console> system ipsec_route show
tunnelname host/network netmask
HO 192.168.1.0 255.255.255.0
HO_Backup 192.168.1.0 255.255.255.0

console> system route_precedence show
Routing Precedence:
1. SD-WAN policy routes
2. VPN routes
3. Static routes

Added V20 TAG
[edited by: Erick Jan at 2:17 PM (GMT -7) on 25 Mar 2024]

Top Replies

Akshay Hegde 3 months ago in reply to LuCar Toni +3 verified

Sophos team resolved this licensing issue my branch office link is up now.

Parents

0 Akshay Hegde 3 months ago

More updates on license. Its already visible in licensing portal here on device even after synchronise base Firewall showing "Not Subscribed"

Base Firewall Stateful Firewall, VPN, Wireless	Not subscribed	Dec 31, 2999
Network Protection IPS, Sophos X-Ops, SD-RED Device Management	Evaluating	Mar 13, 2029
Web Protection Web Security and Control, Application Control, Web Malware Protection	Evaluating	Mar 13, 2029
Zero-Day Protection Machine Learning, Sandboxing File Analysis, Threat Intelligence	Evaluating	Mar 13, 2029
Central Orchestration SD-WAN VPN Orchestration, CFR Advanced	Evaluating	Mar 13, 2029
Enhanced Support Enhanced Support	Evaluating	Mar 13, 2029

+1 Bharat J 3 months ago in reply to Akshay Hegde

Hi Akshay Hegde

Please contact Sophos Customer Care with Sophos Support to fix the issue with the license.

Check Sophos Firewall: Impact of expired license

Thanks and Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Akshay Hegde 3 months ago in reply to Bharat J

Yes raised case already. Its not expired we just bought new device recently and its already showing in Sophos cloud with description perpetual

Case

07264485
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 3 months ago in reply to Akshay Hegde

When is your start date of the new Appliance? Currently the appliances (Base License) can have a future start date, which is shown in the license Schedule.

Only Customer care can address this right now.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Akshay Hegde 3 months ago in reply to LuCar Toni

Scheduled date is 14/03/2024, but this is very strange I spent nearly 24 hours to know this root cause... There is no alert or notification on admin interface regarding license requirements for site to site vpn. I requested for early activation so for nothing positive.

Which is recommended interms of best performance.

Policy based site to site vpn ? Or Route based ?

Any benchmarks?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 3 months ago in reply to Akshay Hegde

Generally speaking this situation will be resolved in the future. Base licensing will be applied on delivery and not on subscription start date, which do not open this kind of problem.

About the second question, both perform on a high level the same but Route based VPN generally speaking is better to setup and maintaine on the long run.

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 LuCar Toni 3 months ago in reply to Akshay Hegde

Generally speaking this situation will be resolved in the future. Base licensing will be applied on delivery and not on subscription start date, which do not open this kind of problem.

About the second question, both perform on a high level the same but Route based VPN generally speaking is better to setup and maintaine on the long run.

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

+1 Akshay Hegde 3 months ago in reply to LuCar Toni

Sophos team resolved this licensing issue my branch office link is up now.
Cancel
Vote Up +3 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 LHerzog 3 months ago in reply to Akshay Hegde

so, now you're still working on the SNAT issue?

who cannot access AD servers? the firewall or network devices on the remote side?

when it's your firewall:

set advanced-firewall sys-traffic-nat add destination 172.16.1.1 netmask 255.255.255.255 snatip 192.168.1.1

assuming your AD server is 172.16.1.1 and the firewall IP is 192.168.1.1

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationADIPsecRouteSysGenTraffic/index.html
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Akshay Hegde 3 months ago in reply to LHerzog

After license synchronisation it resolved issue was with licence... It's hidden
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LHerzog 1 month ago in reply to Akshay Hegde

having the same issue right now after replacing XG with XGS.

XGS license will be active only in 5 days in the future, the day where the XG expires.

struggling with wireless and SNAT not working. Thinking of a technical issue.

No information about license issue anywhere. That should be improved with a fat banner on the dashboard.

Found this thread here again.

what's the use of base license expired and only the subscriptions in evaluation mode?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 1 month ago in reply to LHerzog

This issue will be resolved in the future (we are working on a fix for that).
Base license is currently tied to the subscription start date - we will change that to order processing, meaning the base license will be activate on delivery.

You can contact Sophos customer care to get this manually fixed.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LHerzog 1 month ago in reply to LuCar Toni

Yes, thanks. Case is open and I have the feeling it is going well. They want to enable a new evaluation for the base subscription.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Akshay Hegde 1 month ago in reply to LHerzog

Yes without license it will not work... It's hidden features of sophos no notification nothing. Log case and request early activation of license.

Base license is useless. At least they should provide notification saying what will not work.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 1 month ago in reply to Akshay Hegde

Some information is here: Sophos Firewall: Impact of expired license
Earlier it was a rare case to have an expired base license. And Sophos wants to get back to this state but it needs some changes in the licensing and order processing workflow.

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 LHerzog 1 month ago in reply to LuCar Toni

my case has been resolved in ~1h. that was a good experience.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vivek Jagad 1 month ago in reply to LHerzog

Thank you for the feedback LHerzog !

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel