Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 37 subscribers
  • Views 4124 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG initiated traffic being sent to ipsec0

Rich5312

I'm having a few issues with an XG in place at the moment. Various things are failing such as checking for firmware/pattern updates, being able to use the web filtering feature and also using the inbuilt FTP backup feature.

I have discovered that the XG is unable to resolve any DNS queries, I have tried multiple external DNS but no luck. The issue appears to be the way the XG is handling it's own traffic, it appears its creating the request from the internal LAN IP and then sending this to ipsec0. Also doing a packet capure of the FTP backup and it is doing the same, as though the XG initiated traffic is somehow getting caught in an IPSEC policy. I have checked all VPNs and nothing matches the src and dst so unclear why this is behaving in this way.

If I point the XG to an internal DNS server this works but the FTP backup as its external and fails as its doing the same thing.

Got a call logged with Sophos support but after 3 weeks they arent showing much interest and have caused more problems with their attempted fixes which from what I can see have no relvance and have had to intervene when the engineer started deleting and regenrating certificates causing all sorts of SSLVPN issues.

I know there are commands to be able to send XG intiated traffic down a VPN however this has not been implemented, I want the opposite of that. Anyone ever seen this before? There are no tunnel interfaces and also no static routes, just a simple LAN and WAN setup with a few site to site VPNs, SSLVPN and some port forwarding.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Rich5312,

    Thank you for contacting the Sophos Community!

    Could you please provide me with the Case ID, so I can follow-up!

    I know you said you already check the IPsec tunnels, but also make sure you haven't set a tunnel as a remote destination with ANY.

    Are you running v17 or v18?

    If you run the following command from the console do you see any route?

    console> show advanced-firewall

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos
    emmosophos said:
    Hello

    Cased ID:03263436

    I do have a VPN with the desintation of Any and a source of a single IP(10.0.0.24/32) as this server is required to route all it's traffic via another location. If it is this that's causing the issue, any tips on how to ensure this doesnt disrupt XG initiated traffic?

  • 0 in reply to Rich5312

    Hello Rich,

    Thank you for the Case ID. I see you will have a session with the engineer.

    Can you make sure that the 

    console> system route_precedence show 

    Policy routes is on Top.

    Can you do an:

    ip route get 44.238.159.168 

    And see which interface it says it will go out

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi,

    I am getting the following:

    I am due a session with an enigneer but he wants 2 hours downtime and wont advise what he will be doing and after the last session and breaking the SSLVPN for all staff I am not very confident with him at the moment.

    Thanks,
    Rich

  • 0 in reply to Rich5312

    Hello Rich,

    Thank you for the output of the commands.

    Yes for some reason the XG is sending all the traffic via the IPsec.

    Can you have some downtime on that specific tunnel with the destination set as ANY?

    If so can you bring it down and then run the same commands?

    Also can you try the following command:

    console> set advanced-firewall sys-traffic-nat add destination 0.0.0.0 netmask 0.0.0.0 interface Port2 snatip x.x.x.x

    It basically should force all the auto generated traffic to go out the Port2 (I am assuming Port2 is your WAN) substitute the x.x.x.x for the Public IP of the WAN interface.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • 0 in reply to Rich5312

    Hello Rich,

    Thank you for the output of the commands.

    Yes for some reason the XG is sending all the traffic via the IPsec.

    Can you have some downtime on that specific tunnel with the destination set as ANY?

    If so can you bring it down and then run the same commands?

    Also can you try the following command:

    console> set advanced-firewall sys-traffic-nat add destination 0.0.0.0 netmask 0.0.0.0 interface Port2 snatip x.x.x.x

    It basically should force all the auto generated traffic to go out the Port2 (I am assuming Port2 is your WAN) substitute the x.x.x.x for the Public IP of the WAN interface.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
Unfiltered HTML