Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 7343 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weird issue - when using a remote print via Citrix over an IPsec VPN tunnel, all traffic stops

AWilson

Hi everyone,


This is a weird issue and kind of a long write up so please bear with me. Long story short, on UTM we never had this issue, it started when we moved to XG and showed itself today.

Scenario : Client has a site to site VPN to a separate company that hosts Citrix server based apps. Connect the tunnel, set the Citrix instance and you get the desktop icons for the remote app. Easy enough. Here's the issue -- when they print via the remote app, it sends the print job locally as designed, but then after the job prints, all traffic is stopped. No inbound or outbound anywhere for anyone. I can continue to manage the firewall (XG 115, used fw 17.1 then downgraded to 17.04 - can't use that because the 'NAT' in the VPN tunnel doesn't work, updated to 17.08, issue persists) -- and I can ping all of the internal resources, though no traffic will move through the tunnels. Here's the head scratcher, if I disable the tunnel to the hosted apps, all connectivity comes back. There are other S2S tunnels in play as well, toggling the remote app tunnel allows connectivity through the rest of them, but if you send a print job it breaks again.

Anyone seen something similar to this before ? No logs anywhere that says anything what so ever, no IPS rules, no IDS rules, nothing like that and from the firmware downgrade everything was rebuilt anyway. I just can't figure out what is going on here. Ideas?



This thread was automatically locked due to age.
  • 0

    Hi,

    Sounds like routing issues. But tbh, never saw a print job killing routing tables.

    Maybe open a support case with the support and reproduce it. There should be a an change in the routing table or the NAT in the routing table. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    not sure how it could possibly be. All traffic but local traffic stops incl all VPN tunnels and when I nuke the one tunnel traffic comes back. I do know for sure it is a Sophos issue, I will advise on ticket # and the like whe I hear back.

  • 0 in reply to AWilson

    Hi,

    what are disk and memory usage like before and at the time of the lockup?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Good afternoon,

     

    After a few calls to support it turns out this is a known issue. Internally NC-34170. The issue occurs when using an IPSec tunnel with a NAT to anything other than a /32. No currently known workarounds. Off I go to re IP the network. 

  • 0 in reply to AWilson

    Hi,

    Can you post your NAT Config?

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Take a look at your ipsec VPN, tick the box for 'network address translation'. 

    If you were doing a whole /24 as I'm attempting you'd put your actual network (eg 192.168.254.0/24) and in the 'local subnet' portion you would put your natted lan, eg 10.1.2.0/24

    this is the part that is broken. Apparently it's a known issue but works fine if it is a /32. Anything else breaks WAN traffic when certain data (in my case a print job) comes through.

  • 0 in reply to AWilson

    Hi,

    yes i know. But i am kinda confused about the story of this feature. Because i have couple of implementation with it working fine. With SNAT and 1:1 NAT. 

    Will take a look into the bug id and maybe i miss something. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I have it working on SG's / UTM's, not on XG's.

Cookie Information Banner