Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 40 subscribers
  • Views 1397 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with Veeam B+R 12.1 and SFOS 20.0.2 MR-2-Build378 - failed to create NFC download stream

Peter Riederer

Hey Folks,

we rolled out a XGS126 in our Branch yesterday (before SG125) and we cannot get Veeam to work backing up our Branch VMs.
The Branch is connected via IPSEC VPN Tunnel to our Datacenter (Sophos SG310). I already found the older thread Veeam B&R 12 issue - Discussions - Sophos Firewall - Sophos Community  but nothing works, and Veeam backup still fails -> always gets stucked at "Getting VM info from vSphere" -> NFC storage connection is unavailable ..... Failed to create NFC download stream....

Things done so far:

Checking the Logs -> IPS, ATR, ZDP no entries

Disabled, IPS, MDR threat feeds, and x-ops threat feeds (ATP) - no luck

set ips ac_atp exception fwrules 5 -> no luck (FW Rule of Backupserver to ESX Server) 

created a SSL/TLS inspection rule to exclude -> Source VPN Backupserver to LAN ESX Server, with Don't decrypt and max compatibility - no luck

added local.domain and FQDN of Backupserver and ESX server to Local TLS exclusion list - no luck

at the moment i am out of ideas, hence any other help would be very much appreciated.

Thanks.

Peter



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LHerzog

    no it doesnt fail immediately, it takes 1-2 Minutes then it fails.

    it worked in the setup before with sg125 to sg310, hence vcenter firewall shouldnt be an issue.

    ok trying to make a tcp-dump and checking that again

  • 0 in reply to Peter Riederer

    Would be interesting to see in wireshark if the machines see and fail due to a firewall cert at some point or do not find the target at all due to missing IPSec routing.

    To me it sounds more like a timeout fail, expecting no data passing the tunnel

  • 0 in reply to LHerzog

    the ipsec tunnel setup and fw-rules is the same as on the sg125 and traffic from backup server and vcenter server network to branch esx server network is not restricted. 

    disabled network traffic encryption in veeam completely but doesnt help either.

    sometimes in firewall i got some  "could not associate packet to any connection"

    but this is strange, because entries before and after that are the same and matching correctly

  • +1 in reply to LHerzog

    Finally i fixed it (facepalm)

    the veeam backup proxy in the branch is in a different network as the esxi server. it seems i forgot to create a rule for the backup proxy access the esxi host.

    but i am really wondering, why this is not protocolled in the firewall log. is the xgs only logging when you enabled logging on the rule? on sg dropped traffic was always logged when i am right.

  • 0 in reply to Peter Riederer

    yes, you may need to create a custom log and drop rule at the bottom. otherwise you're flying blind

    good you fixed it

  • 0 in reply to LHerzog

    I already created a drop_all rule but i disabled logging this morning for better investigation :-D

    didnt know xgs is not logging if you have not a log-option enabled. but now i know better, thx for your help.

    finally after 15 years of SG i get more and more used to the xgs series, but this one is one of the first more complexer branch office.

Unfiltered HTML