Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 1917 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device on BO side of IPSec Site-to-site unable to ping HO side

Werner van Niekerk

I have a scenario and trying to set something up for the interim.

In essence, the requirement is to get an APP server at location A to connect to DB server in location B.

The main issue with this is that both locations have the same subnet (E.g 172.16.0.0/29)
We already advised that the only reliable solution is to change one of the sites' subnets, but not for the time being.

What we're trying as temporary:

Both the Hyper-V hosts have additional NICs that we've got directly connected to Port5 on their sites' respective Sophos XG230s, and the VMs have been assigned these NIC's adapters on VSwitches.

A quick diagram:

Assigned site A's Sophos Port5 an IP of "192.168.10.2" and site B's Sophos Port5 "192.168.11.2"
Assigned site A's APP server an IP of "192.168.10.15" and site B's DB server an IP of "192.168.11.13"
Set up the remote and local subnet on each side of the site-to-site ("192.168.10.0/24" and "192.168.11.0/24")
Added persistent routes on each server (E.g.: Dest. 192.168.10.0, Mask. 255.255.255.0, GW. 192.168.11.2, Int. 192.168.11.13, Metric. 26)
Added static unicast IPv4 routes on each Sophos pointing its local network to the interface (E.g.: IP/Mask. 192.168.10.0/255.255.255.0, GW. None, Int. Port5)
Also disabled both servers' Windows firewalls.

The current results are as follows:

Ping from Site A Sophos:
  • To Site A APP server (192.168.10.15) - Response with 1ms latency
  • To Site A Port5 (192.168.10.2) - Response with 1ms latency
  • To Site B DB server (192.168.11.13) - Response with ~20ms latency
  • To Site B Port5 (192.168.11.2) - Response with ~20ms latency
Ping from Site A APP Server:
  • To Site A APP server (192.168.10.15) - Response with 1ms latency
  • To Site A Port5 (192.168.10.2) - Response with 1ms latency
  • To Site B DB server (192.168.11.13) - Response with ~20ms latency
  • To Site B Port5 (192.168.11.2) - Response with ~20ms latency
Ping from Site B Sophos:
  • To Site A APP server (192.168.10.15) - Response with ~20ms latency
  • To Site A Port5 (192.168.10.2) - Response with ~20ms latency
  • To Site B DB server (192.168.11.13) - Response with 1ms latency
  • To Site B Port5 (192.168.11.2) - Response with 1ms latency
Ping from Site B DB Server:
  • To Site A APP server (192.168.10.15) - No response
  • To Site A Port5 (192.168.10.2) - No response
  • To Site B DB server (192.168.11.13) - Response with ~20ms latency
  • To Site B Port5 (192.168.11.2) - Response with ~20ms latency


Here are some packet capture screenshots:

When pinging 192.168.10.2 (Site A Port5) from 192.168.11.13 (Site B DB Server):

Site B Sophos packet capture: (Using BPF string: host 192.168.0.2 and icmp)

Site A Sophos packet capture: (Nothing)

When pinging 192.168.11.2 (Site B Port5) from 192.168.10.15 (Site A APP Server):

Site A Sophos packet capture:

Site B Sophos packet capture:

Thank you in advance, and know, I'm not happy about this either...



This thread was automatically locked due to age.
Unfiltered HTML