Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 27 subscribers
  • Views 2001 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewall Version 18 site to site IPSEC not allowing print jobs.

Chad Cowden

So I have a weird scenario, after upgrading our XG firewalls to version 18 our site to site IPSEC tunnels randomly stop passing print jobs but WILL allow scans from same printer. Downgrading to version 17.x.x everything would work fine. Unfortunately, we are now on version 18.0.4 and cannot downgrade. Ive used the wizard to create the site to site tunnesl, Ive made my own...VERY insecure tunnels to test, Ive even tried site to site SSL. For whatever reason, the tunnels will show connected, but randomly stop sending traffic. Disconnecting the tunnel and reconnecting, traffic will start to pass through again. We have 30 something location that this is happening at all of them. Had open tickets with support and no fix. Wondering if anyone else has noticed similar things? We only use the tunnels for printing and scanning purposes. Head office XG210, remote locations XG115w.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Chad Cowden

    Hello Chad,

    Yes, every tunnel will have an XFRM interface.

    I would recommend you to start with a couple of locations for testing and move progressively if you see this has fixed the issue for the BO.

    In addition to this, try ruling out any issue with SSL/TLS inspection rules by creating a VPN to VPN SSL/TLS inspection rule for the VPN, you should only need one. (I don't think this would be the problem but just to be sure)

    Additionally to this, as I am not sure if there is a specific site that has this issue more commonly, try creating a new Firewall rule and put it in the TOP, and specify the Source and Destination Networks for the specific tunnel (assuming you haven't done this) if you have your VPN rules separate by tunnel, then just pick one and run this command:

    console> set ips ac_atp exception fwrules 2 (Where the number 2 is the Firewall rule ID)

    Note: To remove the firewall rule exception from Application Classification and ATP, execute the following command.

    console> set ips ac_atp exception fwrules none

    Regards,

  • 0 in reply to emmosophos

    I must be doing something wrong. I can get the tunnels to connect, but wont send traffic.  It also says the XFRM was disabled. But no place to enable?

  • 0 in reply to Chad Cowden

    I had to go to the CLI and enable from there. Tunnel is up and passing traffic. Ill update and let you know if this works better than the site to site ipsec.

  • 0 in reply to Chad Cowden

    So after a long while of testing, the RB VPN does the same thing. Tunnels show up, traffic randomly stops passing. Disable tunnel, re-enable.....traffic will then pass. Then randomly stop.

  • 0 in reply to Chad Cowden

    I have noticed that if I send a constant ping from the print server. Then tunnel NEVER has an issue.

  • 0 in reply to Chad Cowden

    Hello Chad,

    Thank you for the follow-up.

    Does the same happen if you change the IPsec policy? 

    Can you leave tcpdump running on both ends of the tunnels, we need to confirm if the tunnel stops passing traffic or what happens to the reply traffic from the printer. 

    #nohup tcpdump -envvi ipsec0 host x.x.x.x and host x.x.x.x  -C 10 -W 2 -w ipsec0.pcap -s0 &

    (Change the x.x.x.x. for the IP of the Printer and the computer sending the print job

    Regards,