XG initiated traffic being sent to ipsec0

I'm having a few issues with an XG in place at the moment. Various things are failing such as checking for firmware/pattern updates, being able to use the web filtering feature and also using the inbuilt FTP backup feature.

I have discovered that the XG is unable to resolve any DNS queries, I have tried multiple external DNS but no luck. The issue appears to be the way the XG is handling it's own traffic, it appears its creating the request from the internal LAN IP and then sending this to ipsec0. Also doing a packet capure of the FTP backup and it is doing the same, as though the XG initiated traffic is somehow getting caught in an IPSEC policy. I have checked all VPNs and nothing matches the src and dst so unclear why this is behaving in this way.

If I point the XG to an internal DNS server this works but the FTP backup as its external and fails as its doing the same thing.

Got a call logged with Sophos support but after 3 weeks they arent showing much interest and have caused more problems with their attempted fixes which from what I can see have no relvance and have had to intervene when the engineer started deleting and regenrating certificates causing all sorts of SSLVPN issues.

I know there are commands to be able to send XG intiated traffic down a VPN however this has not been implemented, I want the opposite of that. Anyone ever seen this before? There are no tunnel interfaces and also no static routes, just a simple LAN and WAN setup with a few site to site VPNs, SSLVPN and some port forwarding.

Parents Reply
  • Hello Rich,

    Thank you, I tried again and I asked a couple of colleagues to do the same but it timed out.

    Can you share a screenshot of your interfaces (if there is any public IP you can cross it out) also can you share a screenshot of your IPSec tunnel where this specific tunnel is configured. You can put this in the ticket if you want.

    And also the output of

    # ipsec statusall

    Also, in the Firewall rule for LAN to VPN, you didn't configure the Source zone as ANY, right? if you did can you change to LAN zone for the source zone.


    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
No Data