Rule 0

Can you please provide a screen grab of your firewall rule(s)?  A picture is worth a thousand words.

-Ron

Hi Ron

hope that makes sense

Hi Jon,

Could you check the IPsec active connections when the tunnel is up ? Also check via Telnet or tracreroute ?

Ok, Going on the assumption here that your ISPEC tunnel(s) are up and that the network objects you have in the rule(s) you posted are in that IPSEC configuration, are you able to do the ping anything from JHB to OPT and vice versa?

Sorry need more details

-Ron

Hi Ron

IPSec connected

Host networks configured and used in the IPSec config as per Sophos site to site documentation (which incidentally does not include all the settings) 

Hi All

Thank you for your help, i found the issue. It shows that the error shown means is incredibly misleading.

The error was on the other firewall, what makes no sense whatsoever is the following:

Packet correctly routed across vpn on sophos A finds no route in sophos B

Why on earth is the error on sophos A shown as "rule0 Violation Firewall" instead of "no route at destination" for example

Sophos show some common sense please!!

Hi All

Thank you for your help, i found the issue. It shows that the error shown means is incredibly misleading.

The error was on the other firewall, what makes no sense whatsoever is the following:

Packet correctly routed across vpn on sophos A finds no route in sophos B

Why on earth is the error on sophos A shown as "rule0 Violation Firewall" instead of "no route at destination" for example

Sophos show some common sense please!!

It would give the same error ,that is the reason is to check if the packet went into the Ipsec Tunnel or not.

Hi Aditya

Where is the description of what "rule0" is?

Where is the description of ALL the violation errors?

"Rule0 Violation Firewall" on ots own means absolutely nothing, do you accept that. You are a Sophos Tech so you know, how is anyone else supposed to know??

Hi Jon Eyre 

I apologize for the lack of documentation for Rule 0, I have made a request to our KB team to publish this information for future reference.

Rule 0 is the implicit default drop rule on the XG firewall. This traffic either did not match any existing configured firewall rules and was dropped. Or this traffic could also be invalid as the firewall was not expecting this traffic such as duplicate ACKs

Please also note our KB article for invalid traffic related to TCP RST's.

Regards,

FloSupport | Community Support Engineer

Update to our documentation for Rule 0: "There are instances wherein traffic is dropped due to firewall rule 0. Rule 0 is the implicit default drop rule on the XG Firewall. This traffic either did not match any existing configured firewall rules and was dropped. It could also be invalid as the firewall was not expecting this traffic such as duplicate ACKs, it does not meet the requested or expected TCP states or RFC specifications, a case of an asymmetric routing, etc."

Regards,

Sorry, Flo - documentation that requires you to know where to look for an answer is not adequate...

Cheers - Bob

Hey Bob,

I'll inquire with our documentation team to get this info added to the SFOS Sophos Help guide.

Hi Bob

Thank you for saying that.

One of my pet hates is documentation written for the person who knows what they are doing not for person who doesn't.

Jon