Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 11983 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No Route to Host - Web filtering over S2S VPN

TimBoggs

I have three sites each protected by a UTM:

Site A: SG430 / 9.500 - Multiple subnets / No local users

Site B: SG430 / 9.413 - Multiple subnets / 250 local users

Site C: SG210 / 9.413 - One subnet - the internal interface of the UTM / 20 local users

Sites A & B are connected by a fiber ring behind the UTMs.

Site C is connect to A and B via S2S IPSEC Tunnels. They have been up and running successfully for a couple of months.

I just discovered that Site A cannot reach Site C over HTTP/S on 80/443. It all results in a Sophos message "No route to host". Site B can access Site C websites and Site C can access both A and B without problems. Site A can access websites at Site C on non-standard ports, like the Sophos UTM interface, but that gets routed through the firewall instead of the proxy. Same thing with ping and tracert, the traffic flows between sites as expected.

The proxy was configured in transparent mode with no authentication, but I added a custom profile for the Remote Desktop servers in standard mode with SSO and it didn't make any difference. There is a firewall rule that allows all traffic between sites, but the proxy is definitely getting the 80/443 traffic.

I have been over the settings on all three servers and can't find a smoking gun. Any thoughts?



This thread was automatically locked due to age.
  • 0

    So I just came up with a work around. I added Site C's subnet to the Web Protection > Filtering Options > Misc > Skip Transparent Mode Destination Hosts/Networks list. This eliminated the proxy from the equation and allowed the firewall rule to handle the traffic.

    Still curious as to why it can't find a route through the proxy on one server but not the other. And why the custom profile didn't override transparent mode.

  • 0 in reply to TimBoggs

    Your solution is the one I would have suggested, Tim.

    You indicate that the Standard mode Profile wasn't capturing the traffic.  Did you modify your browser settings to use the Proxy explicitly on port 8080?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    The browser was set for auto-configuration, but I did try setting it explicitly with 8080 and had the same result. Unfortunately since it is now working, I have had to move on to other things. I just have a slight concern that there might be a bug in 9.5. I hope to upgrade the rest when 9.503 is released, of course if others do not have any issues first.

  • 0 in reply to TimBoggs

    I meant to imply that setting it explicitly would cause the problem you described, as does auto-configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    I'm not sure, but I have once used SSL site-to-site tunnels and if I'm remembering correctly, you may have to configure that the IP-range VPN Pool (SSL) is allowed in the web filter (and or firewall rules).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML