Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 2066 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - WebServer behind IPSec-VPN not working

Steppenwolf
over 1 year ago

Hej,

i have an problem with the WAF in combination with an IPsec-VPN-tunnel. Following error occours:

 

Forbidden

You don't have permission to access / on this server.

Additionally, a 503 Service Unavailable error was encountered while trying to use an ErrorDocument to handle the request.

 

About my network:

Local LAN: 192.168.15.0/24
Local IP of XG: 192.168.15.1
Remote LAN: 192.168.17.0/24
Remote IP of WebServer for WAF: 192.168.17.33
Firmware of XG: v17.5.3

 

Result of tcpdump:

16:46:16.797513 ipsec0, OUT: IP 169.254.234.5.47125 > 192.168.17.33.80: Flags [S], seq 3415650181, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0

 

I tried following:

  • sys-traffic-nat add destination 192.168.17.0 netmask 255.255.255.0 snatip 192.168.15.1
  • system ipsec_route add net 192.168.17.0/255.255.255.0 tunnelname HeadOffice
  • activated NAT via IPSec connection

Any ideas? Did i forget something or is this a bug?

 



This thread was automatically locked due to age.
Parents
  • 0 over 1 year ago

    Did anyone get a fix for this. It seems when this happens you reboot the XG and it comes good again for a few weeks then will stop working again. 

     

     

  • 0 over 1 year ago in reply to Boz

    Hi  

    If the WAF domain is published and anyone tries to access it, the traffic will always hit through WAN zone as there is no such configuration in WAF business rule to toggle.

    If the BO users try to access the webserver through IPsec VPN tunnel, DNS entry should be there and this traffic will be traverse through IPsec tunnel using VPN to LAN/DMZ firewall rule configuration.

    If you facing trouble accessing the webserver, I would recommend to contact technical support and open a service request

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 over 1 year ago in reply to Keyur

    Hi Keyur 

     

     

    That isn't the problem at all. 

     

     

    The out side user ----- Hit WAF on firewall -------WAF forward traffic through ipsec tunnel to Web server that is on the other end. 

     

    This is fully working but then stops after few weeks then a reboot needs to happen. 

     

    I have talked to support months ago around this but they weren't helpful in find a fix. 

     

    Only thing that fixes this is a reboot. 

     

     

     

Reply
  • 0 over 1 year ago in reply to Keyur

    Hi Keyur 

     

     

    That isn't the problem at all. 

     

     

    The out side user ----- Hit WAF on firewall -------WAF forward traffic through ipsec tunnel to Web server that is on the other end. 

     

    This is fully working but then stops after few weeks then a reboot needs to happen. 

     

    I have talked to support months ago around this but they weren't helpful in find a fix. 

     

    Only thing that fixes this is a reboot. 

     

     

     

Children
No Data
Unfiltered HTML