I'm having a few issues with an XG in place at the moment. Various things are failing such as checking for firmware/pattern updates, being able to use the web filtering feature and also using the inbuilt FTP backup feature.
I have discovered that the XG is unable to resolve any DNS queries, I have tried multiple external DNS but no luck. The issue appears to be the way the XG is handling it's own traffic, it appears its creating the request from the internal LAN IP and then sending this to ipsec0. Also doing a packet capure of the FTP backup and it is doing the same, as though the XG initiated traffic is somehow getting caught in an IPSEC policy. I have checked all VPNs and nothing matches the src and dst so unclear why this is behaving in this way.
If I point the XG to an internal DNS server this works but the FTP backup as its external and fails as its doing the same thing.
Got a call logged with Sophos support but after 3 weeks they arent showing much interest and have caused more problems with their attempted fixes which from what I can see have no relvance and have had to intervene when the engineer started deleting and regenrating certificates causing all sorts of SSLVPN issues.
I know there are commands to be able to send XG intiated traffic down a VPN however this has not been implemented, I want the opposite of that. Anyone ever seen this before? There are no tunnel interfaces and also no static routes, just a simple LAN and WAN setup with a few site to site VPNs, SSLVPN and some port forwarding.
Thank you for contacting the Sophos Community!
Could you please provide me with the Case ID, so I can follow-up!
I know you said you already check the IPsec tunnels, but also make sure you haven't set a tunnel as a remote destination with ANY.
Are you running v17 or v18?
If you run the following command from the console do you see any route?
console> show advanced-firewall
I do have a VPN with the desintation of Any and a source of a single IP(10.0.0.24/32) as this server is required to route all it's traffic via another location. If it is this that's causing the issue, any tips on how to ensure this doesnt disrupt XG initiated traffic?
Thank you for the output of the commands.
Yes for some reason the XG is sending all the traffic via the IPsec.
Can you have some downtime on that specific tunnel with the destination set as ANY?
If so can you bring it down and then run the same commands?
Also can you try the following command:
console> set advanced-firewall sys-traffic-nat add destination 0.0.0.0 netmask 0.0.0.0 interface Port2 snatip x.x.x.x
It basically should force all the auto generated traffic to go out the Port2 (I am assuming Port2 is your WAN) substitute the x.x.x.x for the Public IP of the WAN interface.
Looks like disbling that VPN fixes the issue however even with the NAT command you mention this still fails if that particular VPN is up that has an Any destination.
Thank you for the follow-up!
I will need to ask internally about this behavior!
I think you are scheduled for a session tomorrow with a new engineer, let me know if for some reason this doesn't happen!
Could you please provide me with the output of
console> system ipsec_route show
And also this one
# ip route show table 220
Appreciate your continued assistance here. output as follows:
Not what I expected from the very first command, but it is useful.
Would it be possible to enable Support Access in your XG and send the Access ID in the case?
Thats now been sent over.
thank you for the Access ID.
I tried to access but I was unable to do so, do you have a Router in front of the XG or the XG has a Public IP?
Please try again, I have pointed DNS internally to get around the lookup issue so hopefully should now be working.
Thank you, I tried again and I asked a couple of colleagues to do the same but it timed out.
Can you share a screenshot of your interfaces (if there is any public IP you can cross it out) also can you share a screenshot of your IPSec tunnel where this specific tunnel is configured. You can put this in the ticket if you want.
And also the output of
# ipsec statusall
Also, in the Firewall rule for LAN to VPN, you didn't configure the Source zone as ANY, right? if you did can you change to LAN zone for the source zone.