What does the WAF log show when you go to the page? 

[Sat Feb 16 17:27:13.345689 2019] [proxy:error] [pid 18145:tid 140281707050752] (110)Connection timed out: AH00957: HTTP: attempt to connect to 192.168.17.33:80 (192.168.17.33) failed
[Sat Feb 16 17:27:13.345744 2019] [proxy:error] [pid 18145:tid 140281707050752] AH00959: ap_proxy_connect_backend disabling worker for (192.168.17.33) for 60s
[Sat Feb 16 17:27:13.345756 2019] [proxy_http:error] [pid 18145:tid 140281707050752] [client 192.168.10.50:58679] AH01114: HTTP: failed to make connection to backend: 192.168.17.33
[Sat Feb 16 17:27:13.345972 2019] [security2:error] [pid 18145:tid 140281707050752] [client 192.168.10.50:58679] [client 192.168.10.50] ModSecurity: Warning. Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/content/waf/2.7.3/modsecurity_crs_outbound.conf"] [line "53"] [id "970901"] [rev "2"] [msg "The application is not available"] [data "Matched Data: 503 found within RESPONSE_STATUS: 503"] [severity "ERROR"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "www.company.com"] [uri "/"] [unique_id "XGg50n8AAAEAAEbhzKsAAAAF"]
[Sat Feb 16 17:27:13.346167 2019] [security2:error] [pid 18145:tid 140281707050752] [client 192.168.10.50:58679] [client 192.168.10.50] ModSecurity: Access denied with code 403 (phase 4). Pattern match "(.*)" at TX:0. [file "/content/waf/2.7.3/modsecurity_crs_outbound_blocking.conf"] [line "24"] [id "981200"] [msg "Outbound Anomaly Score Exceeded (score 4): Last Matched Message: The application is not available"] [data "Last Matched Data: 503"] [hostname "www.company.com"] [uri "/"] [unique_id "XGg50n8AAAEAAEbhzKsAAAAF"]
[Sat Feb 16 17:27:13.346438 2019] [security2:error] [pid 18145:tid 140281707050752] [client 192.168.10.50:58679] [client 192.168.10.50] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/content/waf/2.7.3/modsecurity_crs_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "www.company.com"] [uri "/"] [unique_id "XGg50n8AAAEAAEbhzKsAAAAF"]

The same scenario works successfully with SSL VPN, so there is a bug with IPSec VPNs and the WAF.

Unfortunately the NAT rule does not work in this constellation and therefore the routing does not work.

Who else has an idea to solve the problem?

I run into this issue weeks ago.

You should get in touch with Sophos Support to get a bug ID.

Resolved it with a RED Site to Site tunnel and forgot to work on it any further.

Hej,

then at least it's a mistake that doesn't just affect me. I will try to contact Sophos support. Apparently this installation is not the most common... :-)

Did anyone get a fix for this. It seems when this happens you reboot the XG and it comes good again for a few weeks then will stop working again. 

Hi Boz 

If the WAF domain is published and anyone tries to access it, the traffic will always hit through WAN zone as there is no such configuration in WAF business rule to toggle.

If the BO users try to access the webserver through IPsec VPN tunnel, DNS entry should be there and this traffic will be traverse through IPsec tunnel using VPN to LAN/DMZ firewall rule configuration.

If you facing trouble accessing the webserver, I would recommend to contact technical support and open a service request

Hi Keyur 

That isn't the problem at all. 

The out side user ----- Hit WAF on firewall -------WAF forward traffic through ipsec tunnel to Web server that is on the other end. 

This is fully working but then stops after few weeks then a reboot needs to happen. 

I have talked to support months ago around this but they weren't helpful in find a fix. 

Only thing that fixes this is a reboot.