Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 39 subscribers
  • Views 1980 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint not able to browse over site to site VPN to backup target

Mark Tarrant

Hello,

newbie here with Sophos.  I am looking at a (new) client I have inherited who have their servers being backed up locally and then across a site to site VPN to a secondary location.  There is one server on a different subnet that has never been able to backup to the secondary location, and the backup agent on this server can't see the secondary backup location.  If I try and browse to the SMB share on the backup target from this server it fails to find it.  I have checked the firewall rules and log viewer on the source Sophos, and it is all good, but I am not seeing any trace of traffic at the secondary (remote) site Sophos at the other end of the site to site VPN.  The servers that can backup ok are using port 1 physical, whilst this other server is using a VLAN with a virtual gateway number 1.7.  Both the LAN the bulk of the servers are on and the IP of the single server are advertised on the site to site VPN. 

Any suggestions as to where the problem could be?  I am guessing the server doesn't know the route to the backup target.  I'm not very good as yet with using the Sophos traffic capture feature, so please bear with me.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Mark, 

    Thanks for reaching out to Sophos Community. What are the results of ping and traceroute from the backup server to the destination? 

    Could you also share your FW rules for this? Do you have the zone and network or host address from the 'Source' going to the destination? and on the remote site, the Zone, network address or host address of the backup server should be on the 'Destination' of the Firewall Rule of the remote firewall. 

    Further, you may also refer to this KBA - Sophos Firewall: Traffic is not passing through the VPN tunnel: https://support.sophos.com/support/s/article/KB-000035835?language=en_US

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Ping and Traceroute don't go any further than the gateway from both the server and the VLAN interface, hence why I think it doesn't know where to go. (The gateway for this subnet is a virtual one on a VLAN interface).  The virtual gateway is 192.168.198.254, whilst the VLAN interface is 192.168.151.254, Port1.6 VLAN ID6.  I don't know what this VLAN (192.168.151.x) is for.  The other servers are using the 192.168.0.x subnet which is the subnet interface 1 is using.  I am guessing the server in question on the 192.168.198.x subnet needs a route to the remote location.  The VLAN interface is in the LAN zone as are the servers on 192.168.0.x, and there is a firewall rule allowing LAN/VPN to LAN/VPN for the backups.

  • 0 in reply to Mark Tarrant

    Further update to this - I found the 192.168.198.x server can ping servers on the 192.168.0.x subnet, and a tracert shows only one hop, being the 192.168.151.254 gateway.  I don't know how this is routing - I am a newbie.

  • 0 in reply to Mark Tarrant

    Should I be able to do a traffic capture to see what is happening to this traffic?  I'm not seeing anything in the logs, except at the source Sophos firewall it reports the traffic is allowed.

Reply Children
No Data
Unfiltered HTML