This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No Route to Host - Web filtering over S2S VPN

I have three sites each protected by a UTM:

Site A: SG430 / 9.500 - Multiple subnets / No local users

Site B: SG430 / 9.413 - Multiple subnets / 250 local users

Site C: SG210 / 9.413 - One subnet - the internal interface of the UTM / 20 local users

Sites A & B are connected by a fiber ring behind the UTMs.

Site C is connect to A and B via S2S IPSEC Tunnels. They have been up and running successfully for a couple of months.

I just discovered that Site A cannot reach Site C over HTTP/S on 80/443. It all results in a Sophos message "No route to host". Site B can access Site C websites and Site C can access both A and B without problems. Site A can access websites at Site C on non-standard ports, like the Sophos UTM interface, but that gets routed through the firewall instead of the proxy. Same thing with ping and tracert, the traffic flows between sites as expected.

The proxy was configured in transparent mode with no authentication, but I added a custom profile for the Remote Desktop servers in standard mode with SSO and it didn't make any difference. There is a firewall rule that allows all traffic between sites, but the proxy is definitely getting the 80/443 traffic.

I have been over the settings on all three servers and can't find a smoking gun. Any thoughts?



This thread was automatically locked due to age.
Parents
  • I'm not sure, but I have once used SSL site-to-site tunnels and if I'm remembering correctly, you may have to configure that the IP-range VPN Pool (SSL) is allowed in the web filter (and or firewall rules).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • I'm not sure, but I have once used SSL site-to-site tunnels and if I'm remembering correctly, you may have to configure that the IP-range VPN Pool (SSL) is allowed in the web filter (and or firewall rules).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data