Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FIREWALL RULE OVER VPN (WAN-VPN)

Does anyone here encounter no access on yahoo even on whitelist? All site is accessible expect for yahoo sites. Anyways I'm doing VPN-WAN rule from XGS107 (SFOS 18.5.2 MR-2-Build380) to XG230 (SFOS 18.5.2 MR-2-Build380).



This thread was automatically locked due to age.
Parents Reply
  • Hello,

    Found there is IPsec site to site VPN and BO traffic Internet traffic routed via HO. Upon reviewing the logs for the mail.yahoo.com. We could see that it was asking to fragment the packet.

    12:51:04.168887 ifb0, OUT: Out 7c:5a:1c:8e:20:51 ethertype IPv4 (0x0800), length 592: 161.x.x.x > 180.222.106.11: ICMP 161.x.x.x unreachable - need to frag (mtu 1406), length 556

    12:51:04.168893 Port2, OUT: Out 7c:5a:1c:8e:20:51 ethertype IPv4 (0x0800), length 592: 161.x.x.x > 180.222.106.11: ICMP 161.x.x.x unreachable - need to frag (mtu 1406), length 556

    12:51:04.168896 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 592: 161.x.x.x > 180.222.106.11: ICMP 161.x.x.x unreachable - need to frag (mtu 1406), length 556

     With the help of iptables command, we tweak the MTU size for the source/destination to made it work.

     Reference KBA:

     Sophos Firewall: MSS Clamping and IPsec Acceleration 

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

Children
No Data