This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN Question

 

We have been unable to reach a new remote server that our CoLo setup and I'm trying to understand what I'm seeing as I troubleshoot this.  We have a Sophos UTM running 9.605.  The other end is a Cisco ASA.

 

The VPN is up and allows me to reach our other servers at the  CoLo.  The IPsec gateway on the Sophos has the new IP in it's remote networks and the connection is set for automatic firewall rules.  When I run a tracert to the new IP, I start seeing seeing internet routers:

Tracing route to 192.168.27.5 over a maximum of 30 hops

1 7 ms <1 ms <1 ms REDACTED [10.10.10.205]
2 <1 ms <1 ms <1 ms coop-router.wmiswireless.net [REDACTED]
3 2 ms 2 ms 2 ms dsl1-ip057-grr.wmisdsl.com [REDACTED]
4 2 ms 2 ms 2 ms 69-39-68-81.static.123.net [REDACTED]

instead of the expected:

Tracing route to 192.168.27.3 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms REDACTED [10.10.10.205]
2 <1 ms 27 ms 27 ms 192.168.27.3

So it doesn't look like the tunnel is getting triggered for the new IP.

 

If the ASA doesn't have the new IP in it's allowed networks, will that prevent the sophos from trying to use the VPN tunnel for that traffic? 

If I turn on logging for the automatic firewall rule that the connection creates, I can see it getting hit when I ping one of our other servers, but nothing shows up when I try to ping the new server.  If I create a new firewall rule to allow that traffic, I can see that rule getting hit when I try to ping the new server.

Even if the new server's IP wasn't added to the allowed local networks on the ASA, why isn't Sophos seeing the target IP and trying to use the VPN tunnel?  If I try to tracert to a non-existent VPN over another site to site we have, I get this:

Tracing route to 172.31.37.4 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms REDACTED [10.10.10.205]
2 <1 ms 3 ms 2 ms 172.31.37.4
3 172.31.37.4 reports: Destination host unreachable.

Trace complete.

Which tells me that even though the IP address isn't live, the Sophos knows to use the VPN to try and reach it.

 

I'm just trying to rule out a problem on my end before I open a ticket with the CoLo.  

 

Thank you,



This thread was automatically locked due to age.
Parents
  • Hi and welcome to the UTM Community!

    "If the ASA doesn't have the new IP in it's allowed networks, will that prevent the sophos from trying to use the VPN tunnel for that traffic?" - Yes.

    The other possibility is that you and the CoLo aren't using the same IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi and welcome to the UTM Community!

    "If the ASA doesn't have the new IP in it's allowed networks, will that prevent the sophos from trying to use the VPN tunnel for that traffic?" - Yes.

    The other possibility is that you and the CoLo aren't using the same IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data