sporadically access problems in L2TP tunnel to a server

Question

Hello Community, 
 We operate multiple sites with L2TP dial-up. This works very well at all locations except for one. Here we have the problem that one server (always the same) is not reachable from the L2TP pool. If you immediately dial in at another location, access is possible. In the L2TP settings we have defined a separate IP range (172.16.250.1-172.17.250.254) for the clients, which is not a subset of the LAN IP range (172.16.250.0/24). In this discussion I read that the colleague had problems when the L2TP pool is a separate network: 
 community.sophos.com/.../l2tp-vpn-establishing-but-traffic-to-my-lan-failed 
 Since this only occurs sporadically at one location, I don't think it is a general problem with the pool network. Nevertheless, my question is, what is the recommendation for the L2TP pool network, a stand-alone network or an area from the LAN network? 
 In my firewall rule I have, in addition to the source zone and destination zone, the networks with usually instead of "any" as indicated in the documentation. Does this make a difference that can lead to this error? 
 Thank you, 
 Ben

emmosophos · Answer

Hello Ben, 
 Thank you for contacting the Sophos Community! 
 A stand-alone Network for the L2TP. 
 The Firewall as recommended should have the Zones and Subnets specified for this traffic. If you leave it set to Any if there is another matching Firewall rule it might create some issues with the traffic, depending on the action of the other Firewall rule. 
 What do see in the XG when the Server is not reachable? Does the XG drop this traffic? 
 Next time this happens, try using the Packet Capture on the GUI to give you more information on what might be happening. 
 Regards,

sporadically access problems in L2TP tunnel to a server

Top Replies