Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint not able to browse over site to site VPN to backup target

Hello,

newbie here with Sophos.  I am looking at a (new) client I have inherited who have their servers being backed up locally and then across a site to site VPN to a secondary location.  There is one server on a different subnet that has never been able to backup to the secondary location, and the backup agent on this server can't see the secondary backup location.  If I try and browse to the SMB share on the backup target from this server it fails to find it.  I have checked the firewall rules and log viewer on the source Sophos, and it is all good, but I am not seeing any trace of traffic at the secondary (remote) site Sophos at the other end of the site to site VPN.  The servers that can backup ok are using port 1 physical, whilst this other server is using a VLAN with a virtual gateway number 1.7.  Both the LAN the bulk of the servers are on and the IP of the single server are advertised on the site to site VPN. 

Any suggestions as to where the problem could be?  I am guessing the server doesn't know the route to the backup target.  I'm not very good as yet with using the Sophos traffic capture feature, so please bear with me.



This thread was automatically locked due to age.
Parents Reply Children
  • At the remote branch the set up looks pretty simple - there is a firewall rule allowing CIFS to the NAS from the IP of the site to site VPN.  Also there is another rule allowing traffic from the VPN zone to the LAN zone, and the server in question plus the others are included.  The site to site is configured to allow the servers plus the server in question (being in a different subnet) across it at both ends.  A tracert from the server starts and stops at VLAN gateway 192.168.151.254, it doesn't go to its own subnet gateway of 192.168.198.254.

    I have followed that link, but couldn't see any problems.  I just need to work out how to use traffic capture I think.

  • I did some testing and used the log viewer at both ends, and then the Packet Capture tool at the source end (finally figured it out, although the Display Filter doesn't seem to work that well).  The Log Viewer at the source end said the traffic between the server and the remote NAS is allowed, ports 139 and 445, via a reflexive NAT rule.  I tried a continuous ping from the server to the NAS, but it only shows in the source end Log Viewer, not the remote end.  If I use Packet Capture on the source end to capture traffic to the remote NAS, nothing for the ping is displayed, like it doesn't exist.  If I try a ping to the NAS from the servers on the different subnet, Packet Capture sees them ok, so it isn't seeing where the 'problem' server's ping is being dropped.  Like I said, a trace from the server gets to the VLAN gateway and goes no further.  I tested pings from the server to the 2 gateway IPs for the site to site VPN and it can ping both ok.

    Note again the servers that work are on the same subnet as Port 1, 192.168.0.x.  There is a VLAN on port 1.7 (VLAN ID 7, using subnet 192.168.151.x), and this server uses a virtual gateway that is configured on the VLAN, using subnet 192.168.198.x.

  • Hi  

    Could you please provide the exact entries made in "Local subnet" of the site-to-site VPN?

    Does both the working servers and the non-working server part of the same site-to-site tunnel ?

    Ping the remote backup-target from the non-working server (192.168.198.x) . Capture the packets at Port1.6 interface using tcpdump (tcpdump -n host <backuptarget>) and post it here.

    On firewall execute 'ip route get <backuptarget>' and post the output.

  • Hi  , if your issue is related to how to place traffic from "unconnected" LAN subnet into IPsec VPN tunnel, you can follow below 2 approaches:

    I am putting a topology for reference as below:

    client1------subnet1----<routing device>-----subnet2----SFOS1---------IPsec tunnel-----SFOS2-----subnet3----client2

    and you want connectivity between client1 (this is not a direct LAN subnet of SFOS1) and client2 (this is LAN subnet of SFOS2) via IPsec tunnel, follow below steps:

    Approach1 (Policy based)

    * IPsec tunnel on SFOS1 with 'local subnet=subnet1 and subnet2' and 'remote subnet=subnet3' 

    * IPsec tunnel on SFOS2 with 'local subnet=subnet3' and 'remote subnet=subnet1 and subnet2'

    * On SFOS1, add static route to reach 'subnet1' via ip address of subnet2 configured on <routing device> 

    Once the tunnel is Up, client1 should be able to reach client2 and vice-versa

    Approach2 (Route based)

    IPsec tunnel on SFOS1 and SFOS2 with local and remote subnet as 'ANY'

    * Add static route on SFOS1 to reach subnet3 via xfrm interface and add static route on SFOS2 to reach 'subnet1' via xfrm interface

    * Also, add static route on SFOS1 to reach 'subnet1' via ip address of subnet2 configured on <routing device> 

    Once the tunnel is Up, client1 should be able to reach client2 and vice-versa

    Let us know if this helps.