Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 6 subscribers
  • Views 498 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN Question

KMD_Comp

 

We have been unable to reach a new remote server that our CoLo setup and I'm trying to understand what I'm seeing as I troubleshoot this.  We have a Sophos UTM running 9.605.  The other end is a Cisco ASA.

 

The VPN is up and allows me to reach our other servers at the  CoLo.  The IPsec gateway on the Sophos has the new IP in it's remote networks and the connection is set for automatic firewall rules.  When I run a tracert to the new IP, I start seeing seeing internet routers:

Tracing route to 192.168.27.5 over a maximum of 30 hops

1 7 ms <1 ms <1 ms REDACTED [10.10.10.205]
2 <1 ms <1 ms <1 ms coop-router.wmiswireless.net [REDACTED]
3 2 ms 2 ms 2 ms dsl1-ip057-grr.wmisdsl.com [REDACTED]
4 2 ms 2 ms 2 ms 69-39-68-81.static.123.net [REDACTED]

instead of the expected:

Tracing route to 192.168.27.3 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms REDACTED [10.10.10.205]
2 <1 ms 27 ms 27 ms 192.168.27.3

So it doesn't look like the tunnel is getting triggered for the new IP.

 

If the ASA doesn't have the new IP in it's allowed networks, will that prevent the sophos from trying to use the VPN tunnel for that traffic? 

If I turn on logging for the automatic firewall rule that the connection creates, I can see it getting hit when I ping one of our other servers, but nothing shows up when I try to ping the new server.  If I create a new firewall rule to allow that traffic, I can see that rule getting hit when I try to ping the new server.

Even if the new server's IP wasn't added to the allowed local networks on the ASA, why isn't Sophos seeing the target IP and trying to use the VPN tunnel?  If I try to tracert to a non-existent VPN over another site to site we have, I get this:

Tracing route to 172.31.37.4 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms REDACTED [10.10.10.205]
2 <1 ms 3 ms 2 ms 172.31.37.4
3 172.31.37.4 reports: Destination host unreachable.

Trace complete.

Which tells me that even though the IP address isn't live, the Sophos knows to use the VPN to try and reach it.

 

I'm just trying to rule out a problem on my end before I open a ticket with the CoLo.  

 

Thank you,



This thread was automatically locked due to age.
  • 0

    Hello KMD_Comp,

    Thank you for contacting the Sophos Community.

    When you say you added the new server IP to the remote networks, this would create a new SA within the tunnel for that host, is the SA created between the UTM and this new IP?

    If the SA is green then the UTM will send the traffic through the tunnel. Also, make sure this new IP doesn't overlap with any other IP in your network

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0

    Hi and welcome to the UTM Community!

    "If the ASA doesn't have the new IP in it's allowed networks, will that prevent the sophos from trying to use the VPN tunnel for that traffic?" - Yes.

    The other possibility is that you and the CoLo aren't using the same IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML