Sophos XG + Azure Subnets + VPN Site-to-Site = Route issues?

Question

Hello All, 
 This is my firt time posting here, so thank you for your time reading my post! The reason why I'm asking for help is because I have an anoying issue in my Lab/Study environment that I can't find a way to fix by myself. 
 Scenario: 
 On-premises SNET 
 - SUBNETS 10.0.0.0/24 (MGMT) 192.168.10.0/24 (DC01) 192.168.20.0/24 (DC02) 192.168.1.0/24 (WAN/Internet Router) 
 - SOPHOS XG FW INTERFACES/IPs 10.0.0.1 192.168.10.1 192.168.20.1 192.168.1.4 
 - VMs 10.0.0.200 (ADM - MGMT) 192.168.10.31 (AD - DC01) 192.168.20.31 (AD - DC02) 
 Azure 
 - SUBNETS 10.1.0.0/16 (VNET) 10.1.1.0/24 (WAN) 10.1.10.0/24 (PROD) 10.1.20.0/24 (CORP) - SOPHOS XG FW INTERFACES/IPs 10.1.1.4 (WAN) 10.1.10.4 (PROD) 10.1.20.4 (CORP) 
 - VMs 10.1.10.5 (AD - PROD) 10.1.20.101 (TEST VM - CORP) 
 There is an IPsec VPN Site-to-Site configured using DefaultHeadOffice and DefaultBranchOffice configrations in wich Sophos XG FW. This VPN also configure the necessary Firewall Rules when I create the initial settings (but I also tested doing everything from scrach manually). 
 And finally: WHAT IS THE ISSUE!! 
 - From any VM/Host running on Azure I can ping any VM/Host in any subnet, either on Azure or On-premises. However, I can only ping VM/Host 10.1.10.5 (AD - PROD) from On-premises VMs/Hosts, and when I try to ping 10.1.20.101 (TEST VM - CORP) from On-premises, there is no answer. 
 - Using TCPDUMP I can saw the traffic reaching Sophos XG FW running on Azure, but I have no idea why it can not send the traffic to 10.1.20.101 (TEST VM - CORP). And if I try to ping any VMs/Hosts from this VM/Host 10.1.20.101 (TEST VM - CORP), I can receive the response without any issue. 
 - I was looking at ROUTE TABLEs on Azure and also the gateway configuration for both Subnets and VMs from Azure and they are exactly the same. Also there is not Secure Group settings (Inbound or Outbound) for any VM/Host on Azure except of course for Sohps XG FW. 
 I will take some screenshots if someone ask for trying to help (much appreciated btw) but I can't see any issue or error by myself, that is why I'm posting here. Hopefuly someone can point to me what is the mistake that I'm making :) 
 Thank you for your time good willing reading my post, and please feel free to ask me what you think would be helpful to assist me :DC01 
 Best regards and Obrigado!

Cristiano Santos · Accepted Answer

Hi All! 
 First of all I want to say THANK YOU for all replies! I'm very happy to see how the community works here, it is definitely something that brings value to SOPHOS solutions making a huge difference when necessary to choose the right product when it comes to the real life. 
 My issue was of course a mistake done by myself: the new NIC (Port C) created for the new subnet hasn't the PORT FORWARDING configuration in place (see pic):

Now it is working as expected:

Thank you again for the assistance, you guys rock!

BeEf · Answer

Hi Christiano Santos,

if it is not an issue with some servers answering to ping and some are not I'd supect that a route from azure to your corporate network is missing.

You should always look in both directions: From the pinging device to the device that pings ... Very often the gateway is reachable and the network behind is not if routes are missing.

Do a traceroute from both sides and examine the part of the network (next hop) where it fails. Is there a route going back and is the traffic allowed through the firewall rules? If it fails on different parts of the network examine both.

Switch on logging on all firewall rules on both firewall and create an explicit deny rule for all firewall zones (NOT the zone Any) and log traffic that is not handled by the existing rules. Trace the log of this deny rule for discarded packets coming from the server you use to ping and/or going to the server you are pinging.

Regards
BeEf

Sophos XG + Azure Subnets + VPN Site-to-Site = Route issues?

Top Replies