Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint not able to browse over site to site VPN to backup target

Hello,

newbie here with Sophos.  I am looking at a (new) client I have inherited who have their servers being backed up locally and then across a site to site VPN to a secondary location.  There is one server on a different subnet that has never been able to backup to the secondary location, and the backup agent on this server can't see the secondary backup location.  If I try and browse to the SMB share on the backup target from this server it fails to find it.  I have checked the firewall rules and log viewer on the source Sophos, and it is all good, but I am not seeing any trace of traffic at the secondary (remote) site Sophos at the other end of the site to site VPN.  The servers that can backup ok are using port 1 physical, whilst this other server is using a VLAN with a virtual gateway number 1.7.  Both the LAN the bulk of the servers are on and the IP of the single server are advertised on the site to site VPN. 

Any suggestions as to where the problem could be?  I am guessing the server doesn't know the route to the backup target.  I'm not very good as yet with using the Sophos traffic capture feature, so please bear with me.



This thread was automatically locked due to age.
Parents
  • Hello Mark, 

    Thanks for reaching out to Sophos Community. What are the results of ping and traceroute from the backup server to the destination? 

    Could you also share your FW rules for this? Do you have the zone and network or host address from the 'Source' going to the destination? and on the remote site, the Zone, network address or host address of the backup server should be on the 'Destination' of the Firewall Rule of the remote firewall. 

    Further, you may also refer to this KBA - Sophos Firewall: Traffic is not passing through the VPN tunnel: https://support.sophos.com/support/s/article/KB-000035835?language=en_US

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Ping and Traceroute don't go any further than the gateway from both the server and the VLAN interface, hence why I think it doesn't know where to go. (The gateway for this subnet is a virtual one on a VLAN interface).  The virtual gateway is 192.168.198.254, whilst the VLAN interface is 192.168.151.254, Port1.6 VLAN ID6.  I don't know what this VLAN (192.168.151.x) is for.  The other servers are using the 192.168.0.x subnet which is the subnet interface 1 is using.  I am guessing the server in question on the 192.168.198.x subnet needs a route to the remote location.  The VLAN interface is in the LAN zone as are the servers on 192.168.0.x, and there is a firewall rule allowing LAN/VPN to LAN/VPN for the backups.

  • Further update to this - I found the 192.168.198.x server can ping servers on the 192.168.0.x subnet, and a tracert shows only one hop, being the 192.168.151.254 gateway.  I don't know how this is routing - I am a newbie.

  • Should I be able to do a traffic capture to see what is happening to this traffic?  I'm not seeing anything in the logs, except at the source Sophos firewall it reports the traffic is allowed.

  • Hello Mark, 

    Thanks for the update. What is the network addressing on the remote branch? could you also share the fw rule for this? and the VPN settings for the main and secondary location? Also, could you confirm that you have followed the steps as outlined here; https://support.sophos.com/support/s/article/KB-000035835?language=en_US and still not working? 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • At the remote branch the set up looks pretty simple - there is a firewall rule allowing CIFS to the NAS from the IP of the site to site VPN.  Also there is another rule allowing traffic from the VPN zone to the LAN zone, and the server in question plus the others are included.  The site to site is configured to allow the servers plus the server in question (being in a different subnet) across it at both ends.  A tracert from the server starts and stops at VLAN gateway 192.168.151.254, it doesn't go to its own subnet gateway of 192.168.198.254.

    I have followed that link, but couldn't see any problems.  I just need to work out how to use traffic capture I think.

  • I did some testing and used the log viewer at both ends, and then the Packet Capture tool at the source end (finally figured it out, although the Display Filter doesn't seem to work that well).  The Log Viewer at the source end said the traffic between the server and the remote NAS is allowed, ports 139 and 445, via a reflexive NAT rule.  I tried a continuous ping from the server to the NAS, but it only shows in the source end Log Viewer, not the remote end.  If I use Packet Capture on the source end to capture traffic to the remote NAS, nothing for the ping is displayed, like it doesn't exist.  If I try a ping to the NAS from the servers on the different subnet, Packet Capture sees them ok, so it isn't seeing where the 'problem' server's ping is being dropped.  Like I said, a trace from the server gets to the VLAN gateway and goes no further.  I tested pings from the server to the 2 gateway IPs for the site to site VPN and it can ping both ok.

    Note again the servers that work are on the same subnet as Port 1, 192.168.0.x.  There is a VLAN on port 1.7 (VLAN ID 7, using subnet 192.168.151.x), and this server uses a virtual gateway that is configured on the VLAN, using subnet 192.168.198.x.

  • Hi  

    Could you please provide the exact entries made in "Local subnet" of the site-to-site VPN?

    Does both the working servers and the non-working server part of the same site-to-site tunnel ?

    Ping the remote backup-target from the non-working server (192.168.198.x) . Capture the packets at Port1.6 interface using tcpdump (tcpdump -n host <backuptarget>) and post it here.

    On firewall execute 'ip route get <backuptarget>' and post the output.

  • Hi  , if your issue is related to how to place traffic from "unconnected" LAN subnet into IPsec VPN tunnel, you can follow below 2 approaches:

    I am putting a topology for reference as below:

    client1------subnet1----<routing device>-----subnet2----SFOS1---------IPsec tunnel-----SFOS2-----subnet3----client2

    and you want connectivity between client1 (this is not a direct LAN subnet of SFOS1) and client2 (this is LAN subnet of SFOS2) via IPsec tunnel, follow below steps:

    Approach1 (Policy based)

    * IPsec tunnel on SFOS1 with 'local subnet=subnet1 and subnet2' and 'remote subnet=subnet3' 

    * IPsec tunnel on SFOS2 with 'local subnet=subnet3' and 'remote subnet=subnet1 and subnet2'

    * On SFOS1, add static route to reach 'subnet1' via ip address of subnet2 configured on <routing device> 

    Once the tunnel is Up, client1 should be able to reach client2 and vice-versa

    Approach2 (Route based)

    IPsec tunnel on SFOS1 and SFOS2 with local and remote subnet as 'ANY'

    * Add static route on SFOS1 to reach subnet3 via xfrm interface and add static route on SFOS2 to reach 'subnet1' via xfrm interface

    * Also, add static route on SFOS1 to reach 'subnet1' via ip address of subnet2 configured on <routing device> 

    Once the tunnel is Up, client1 should be able to reach client2 and vice-versa

    Let us know if this helps.

Reply
  • Hi  , if your issue is related to how to place traffic from "unconnected" LAN subnet into IPsec VPN tunnel, you can follow below 2 approaches:

    I am putting a topology for reference as below:

    client1------subnet1----<routing device>-----subnet2----SFOS1---------IPsec tunnel-----SFOS2-----subnet3----client2

    and you want connectivity between client1 (this is not a direct LAN subnet of SFOS1) and client2 (this is LAN subnet of SFOS2) via IPsec tunnel, follow below steps:

    Approach1 (Policy based)

    * IPsec tunnel on SFOS1 with 'local subnet=subnet1 and subnet2' and 'remote subnet=subnet3' 

    * IPsec tunnel on SFOS2 with 'local subnet=subnet3' and 'remote subnet=subnet1 and subnet2'

    * On SFOS1, add static route to reach 'subnet1' via ip address of subnet2 configured on <routing device> 

    Once the tunnel is Up, client1 should be able to reach client2 and vice-versa

    Approach2 (Route based)

    IPsec tunnel on SFOS1 and SFOS2 with local and remote subnet as 'ANY'

    * Add static route on SFOS1 to reach subnet3 via xfrm interface and add static route on SFOS2 to reach 'subnet1' via xfrm interface

    * Also, add static route on SFOS1 to reach 'subnet1' via ip address of subnet2 configured on <routing device> 

    Once the tunnel is Up, client1 should be able to reach client2 and vice-versa

    Let us know if this helps.

Children
No Data