Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 1565 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Site2Site tunnel up, remote subnet can send data, internal data not seen in firewall log

Fred_B

We are in the process of setting up our first XG as we are moving away from TMG.

With help of the Sophos reseller the Site2Site tunnel is established and status and connection both show green.

Automatic VPN Firewall rule in place Allow Any zone source  Switch_LAN, LAN, Remote_LAN, destination Switch_LAN, LAN, Remote_LAN, any service.

The remote site can send data as is logged in the XG log with the firewall allow rule. But we do not see any traffic going back out. Nothing logged and the remote site doesn't receive anything back.

The XG is connected on Port 1 to our core switches with a Switch_LAN IP adress, the core switches have an IP adress in the Switch_LAN and in the LAN. Their default gateway is the TMG. At the TMG a rstatic route is set for the Remote_LAN to the Sophos XG. Port2 is a static Internet IP adress not known by the TMG.

Problem is I cannot ping from the XG to the Remote_LAN. Nor from the LAN to the Remote_LAN. A trace route at the TMG gives the Sophos XG as the first hop but drops away * * * * after that. The XG log gives Allow In Port1 Out Port2 Src IP TMG server Dst IP Remote_IP src port 137 UDP en ICMP.

I.  A trace route at the XG gives 30 times:

1 * * 10.0.1.253 984.001 ms !H: 2 * * 10.0.1.253 984.001 ms !H: etcetera.

This traffic is not logged?

The remote site uses a Fortigate.

Any idea's?

Tanks in advance,

Fred

 

 

 

   

  



This thread was automatically locked due to age.
Parents
  • 0

    The problem is that the way the XG is added to our network by the Sophos reseller as a parallel gateway is not supported by the TMG. 

    I see the traffic being blocked by the TMG as Dynamic Ports protocol with "A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer."  

    I will run into this problems also when moving VPN clients to the XG, SMTP, Proxy, etc.

    The reason for adding it in parallel by the Sophos reseller is that it TMG can be removed when all functionality has been moved to the XG. I am not sure he understood the routing complications.

    Is there a way to get this to work with TMG? 

    Regards,

    Fred

Reply
  • 0

    The problem is that the way the XG is added to our network by the Sophos reseller as a parallel gateway is not supported by the TMG. 

    I see the traffic being blocked by the TMG as Dynamic Ports protocol with "A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer."  

    I will run into this problems also when moving VPN clients to the XG, SMTP, Proxy, etc.

    The reason for adding it in parallel by the Sophos reseller is that it TMG can be removed when all functionality has been moved to the XG. I am not sure he understood the routing complications.

    Is there a way to get this to work with TMG? 

    Regards,

    Fred

Children