Cannot SSH to bridged Eve-NG host through XG

Hello Bryon,

Thank you for contacting the Sophos Community!

It seems like the device with 172.16.1.2 is not replying to the SSH packets. However, I can see ACK packets being sent to 172.16.1.2 despite the fact that there are no reply packets, so I think you must have some assymetric routing going on, traffic going out one interface and coming in a different one. 

Which is the reason you are seeing in the Logs the packets being dropped by the XG as Invalid packets.

You could try doing the following from the console in the XG: (5>4)

console > set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.4.0 source_netmask 255.255.255.0 dest_network 172.16.1.0 dest_netmask 255.255.255.0 

Try first this, I don't think you need a  reversed by-pass. (the Source Network and Dest Network would be the opposite).

You can also set it for only a host instead of the whole network, you can use Tab to auto-complete. 

Regards,

Setting that bypass configuration causes SSH to connect now to the remote IOSv host. I'm not sure if I 100% understand what a bypass is designed for so I'm not sure if that's something I would want to leave in place or if this is a normal troubleshooting step for Sophos XG. Could you explain for me? Seems like we're asking the firewall to not filter traffic for these source/destination networks based on any rules I have.

Admittedly I'm a little confused as to why that works, I was following the asymmetric routing angle you suggested and saw that IOSv was in fact responding via some debugs but didn't actually see them on the ESXi host via tcpdump. Since it's all virtual networking I'm fine to say it's probably just a bug or I'm capturing traffic on ESXi wrong.

Hello Bryon,

Thank you for the follow-up!

So the XG checks for "stateful packets", meaning it checks the conntrack for every packet that traverses the XG, in your case what is happening is that the  traffic from 192.168.4.104 is going out let;s say interface Port1, and then the XG is expecting the reply packet to follow the same path, but in this case the tcpdump doesn't show any packet coming back to you from 172.16.1.2, yet, 192.168.4.104 is sending [.] ACK packets, but the XG is not seeing the [.] or even SYN packets coming to the 172.16.1.2

So basically the return packet is following a different path to return, which is causing the XG to block the packets as it can't find the conntrack that matches those [.] and Syn packets.

What by passing the stateful firewall does, is it tell the XG to ignore this, simply route the packets and don't inspect them, which is the reason why you can SSH now. 

Sometimes it is not possible to avoid asymmetric routing due to how the traffic flows, but ideally, you would avoid this. 

Regards,

Is this an oddity with my setup for XG then? I wouldn't expect asymmetric routing here since it's basically one flat network on VLAN 4, just that it hairpins back out the same interface it came in on. However it's sending and receiving on both Port1 and Port1.4, where I'd expect to only see Port1.4 being used since all traffic to/from XG should be on VLAN 4's interface, Port1.4.

I see in on Port1, in on Port1.4, then out on Port1.4, out on Port1. The the replies are the inverse. It just doesn't make sense that pings work just fine but SSH doesn't without the bypass.

If a bypass is a normal thing in this kind of scenario I'm 100% fine with it, I'm just fighting my own bias here I think.

Is this an oddity with my setup for XG then? I wouldn't expect asymmetric routing here since it's basically one flat network on VLAN 4, just that it hairpins back out the same interface it came in on. However it's sending and receiving on both Port1 and Port1.4, where I'd expect to only see Port1.4 being used since all traffic to/from XG should be on VLAN 4's interface, Port1.4.

I see in on Port1, in on Port1.4, then out on Port1.4, out on Port1. The the replies are the inverse. It just doesn't make sense that pings work just fine but SSH doesn't without the bypass.

If a bypass is a normal thing in this kind of scenario I'm 100% fine with it, I'm just fighting my own bias here I think.

Hello Bryon,

Just to add, for PINGs asymmetric routing doesn't affect the flow since it doesn't use TCP or UDP. The SSH breaks the community or doesn't work because the handshake can't be completed.

Regards,

Oh, so when XG is looking at the ping traffic, it doesn't really have a way to say "this reply doesn't match" since there isn't enough information in a ping to say it's not a valid response. SSH on the otherhand, since it's TCP, gives XG more information to work off of and it can identify that the responses don't line up with the stream I sent out to begin the handshake. Am I on the right line of thinking there?

Edit: I still don't really get why XG thinks it's asymmetric either, I think that's probably my biggest hangup.