IPsec tunnel issue with multiple active WAN interfaces

Question

Hello everyone, 
 at the moment I'm looking into a very strange issue regarding an IPsec Setup on my XG with multiple WAN Interfaces. 
 First of all, to give you an overview, therelevant interfaces: 
 
 PortA - internal LAN with 192.168.13.0/24 directly attached 
 PortD - PPPoE Uplink, marked as backup connection in WAN link manager 
 PortE - leased line with an /29 on it, so there are the Ports E:0 to E:4 for all available IP adresses from this subnet; active connection in WAN link manager with a weight of 60 
 PortG - LTE Router, the XG is DHCP Client; active connection in WAN link manager with a weight of 40 
 
 On the XG Box there are 6 IPsec connections. Each one with local / listening interface PortE:0. IPsec types are mixed IKEv1 and IKEv2, sometimes have multiple Subnets, somtimes only 1on1. 
 Issue description: 
 All IPsec connections initiate flawlessly, however some of them don't pass traffic over to the remote networks if initiated on the XG side. This is no stable condition; sometimes it works, sometimes not. Even the sessions that work change from time to time. 
 
 First investigations: 
 Utilizing the Packet Capture feature in XG it comes clear, that the traffic is always correctly routed to the ipsec tunnel and seems to leave the XG on the tunnel interface ipsec0. Looking further via tcpdump on advanced shell via tcpdump dst <destination gateway address> it comes clear, that there is a substantial routing issue with the IPsec traffic: 
 While the IPsec session traffic (aka isakmp) is leaving on the correct wan interface (PortE), the ESP traffic leaves on PortG! 
 PortG is not associated to the IPsec connection anyways. And needless to say, that with traffic originating from a completely different IP the other side has no chance then just dropping it. It looks like PortG is choosen sometimes based on the WAN link weight - this made the issue hard to track down for me and should be the reason why it isn't encountered all the time. Maybe this occurs only on alias interfaces, but unfortunately I'm not able to test this in my scenario. 
 So there are some questions now for me: 
 
 has anyone experienced this issue so far? 
 is there any chance of a wrong configuration leading to this issue? 
 
 For the records: I raised a case with sophos (#9895016) but awaiting response. 
 
 Regards, 
 Markus

Vishal_R · Answer

Hi Markus Rüping Thanks for descriptive information and clear explanation. Here based on information provided the IPSec tunnel are configured on PortE:0 which is alias Interface. If you have configured IPSEC over Alias and if you are having Multiple gateway configured on XG then we need to enable below command in order to enable routing on Alias Interface. 
 console> set routing source-base-route-for-alias enable So enabling this command will fix the problem which you are facing with incorrect Interface traffic passing or communication not working. As per your update you have already tried for the same then you may confirm the ESP packet to check and conclude the issue further.