FIREWALL RULE OVER VPN (WAN-VPN)

Does anyone here encounter no access on yahoo even on whitelist? All site is accessible expect for yahoo sites. Anyways I'm doing VPN-WAN rule from XGS107 (SFOS 18.5.2 MR-2-Build380) to XG230 (SFOS 18.5.2 MR-2-Build380).

Added TAGs
[edited by: Raphael Alganes at 6:37 AM (GMT -7) on 15 Aug 2024]

Top Replies

Mayur Makvana 26 days ago in reply to Mayur Makvana +1 verified

Hello, Found there is IPsec site to site VPN and BO traffic Internet traffic routed via HO. Upon reviewing the logs for the mail.yahoo.com. We could see that it was asking to fragment the packet. 12…

Parents

0 Mayur Makvana 27 days ago

Hello,

Do you see any denied message? I believe you have allowed it under VPN to WAN and has linked NAT rule.

Mayur Makvana
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Johnder Dacquil 27 days ago in reply to Mayur Makvana

I didn't see any denied or error message. Does it require another NAT rule for this? i created an NAT rule as a general rule for my firewall rule.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Mayur Makvana 27 days ago in reply to Johnder Dacquil

Hello,

It does not require dedicated rule as far as it got general NAT rule available. Also, attached error snapshot.

Kindly collect the packet capture under Monitor & Analyze -> Diagnostics -> Packet Capture. Add string as host yahoo.com.

Browse the yahoo.com and review packet capture. Also your devices are running on too old version. This must be upgraded to supported version.

Mayur Makvana
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Johnder Dacquil 27 days ago in reply to Mayur Makvana

This is what i've got when browsing yahoo.com.

Also, please see packet capture

Is there anything I need to configure?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Mayur Makvana 27 days ago in reply to Johnder Dacquil

Hello,

I have sent request. Kindly accept and DM me.

Mayur Makvana
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Mayur Makvana 26 days ago in reply to Mayur Makvana

Hello,

Found there is IPsec site to site VPN and BO traffic Internet traffic routed via HO. Upon reviewing the logs for the mail.yahoo.com. We could see that it was asking to fragment the packet.

12:51:04.168887 ifb0, OUT: Out 7c:5a:1c:8e:20:51 ethertype IPv4 (0x0800), length 592: 161.x.x.x > 180.222.106.11: ICMP 161.x.x.x unreachable - need to frag (mtu 1406), length 556

12:51:04.168893 Port2, OUT: Out 7c:5a:1c:8e:20:51 ethertype IPv4 (0x0800), length 592: 161.x.x.x > 180.222.106.11: ICMP 161.x.x.x unreachable - need to frag (mtu 1406), length 556

12:51:04.168896 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 592: 161.x.x.x > 180.222.106.11: ICMP 161.x.x.x unreachable - need to frag (mtu 1406), length 556

With the help of iptables command, we tweak the MTU size for the source/destination to made it work.

Reference KBA:

Sophos Firewall: MSS Clamping and IPsec Acceleration

Mayur Makvana
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel

Reply

+1 Mayur Makvana 26 days ago in reply to Mayur Makvana

Hello,

Found there is IPsec site to site VPN and BO traffic Internet traffic routed via HO. Upon reviewing the logs for the mail.yahoo.com. We could see that it was asking to fragment the packet.

12:51:04.168887 ifb0, OUT: Out 7c:5a:1c:8e:20:51 ethertype IPv4 (0x0800), length 592: 161.x.x.x > 180.222.106.11: ICMP 161.x.x.x unreachable - need to frag (mtu 1406), length 556

12:51:04.168893 Port2, OUT: Out 7c:5a:1c:8e:20:51 ethertype IPv4 (0x0800), length 592: 161.x.x.x > 180.222.106.11: ICMP 161.x.x.x unreachable - need to frag (mtu 1406), length 556

12:51:04.168896 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 592: 161.x.x.x > 180.222.106.11: ICMP 161.x.x.x unreachable - need to frag (mtu 1406), length 556

With the help of iptables command, we tweak the MTU size for the source/destination to made it work.

Reference KBA:

Sophos Firewall: MSS Clamping and IPsec Acceleration

Mayur Makvana
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel

Children

No Data