Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 27 subscribers
  • Views 2001 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewall Version 18 site to site IPSEC not allowing print jobs.

Chad Cowden

So I have a weird scenario, after upgrading our XG firewalls to version 18 our site to site IPSEC tunnels randomly stop passing print jobs but WILL allow scans from same printer. Downgrading to version 17.x.x everything would work fine. Unfortunately, we are now on version 18.0.4 and cannot downgrade. Ive used the wizard to create the site to site tunnesl, Ive made my own...VERY insecure tunnels to test, Ive even tried site to site SSL. For whatever reason, the tunnels will show connected, but randomly stop sending traffic. Disconnecting the tunnel and reconnecting, traffic will start to pass through again. We have 30 something location that this is happening at all of them. Had open tickets with support and no fix. Wondering if anyone else has noticed similar things? We only use the tunnels for printing and scanning purposes. Head office XG210, remote locations XG115w.



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    Can you please share your Case ID, so I can follow-up.

    I would recommend you if you haven't and both sides are running v18 to use RBVPN, and see if the issue remain, if not all XG115 are running 18, try in using RBVPN in the ones that are using it.

    Also when the issue happens, please try to do pcap in both ends of the tunnels to see what is happening with the traffic.

    How to capture packets and download the Packet Capture

    Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI

    * Route based VPN (RBVPN)

    Regards, 

  • 0 in reply to emmosophos

    Also, when setting up the HO.....is this going to create a xfrm for every single tunnel I make? I have 30+ locations.....am I going to have 30+ xfrm interfaces now?

  • 0 in reply to Chad Cowden

    Hello Chad,

    Yes, every tunnel will have an XFRM interface.

    I would recommend you to start with a couple of locations for testing and move progressively if you see this has fixed the issue for the BO.

    In addition to this, try ruling out any issue with SSL/TLS inspection rules by creating a VPN to VPN SSL/TLS inspection rule for the VPN, you should only need one. (I don't think this would be the problem but just to be sure)

    Additionally to this, as I am not sure if there is a specific site that has this issue more commonly, try creating a new Firewall rule and put it in the TOP, and specify the Source and Destination Networks for the specific tunnel (assuming you haven't done this) if you have your VPN rules separate by tunnel, then just pick one and run this command:

    console> set ips ac_atp exception fwrules 2 (Where the number 2 is the Firewall rule ID)

    Note: To remove the firewall rule exception from Application Classification and ATP, execute the following command.

    console> set ips ac_atp exception fwrules none

    Regards,

  • 0 in reply to emmosophos

    I must be doing something wrong. I can get the tunnels to connect, but wont send traffic.  It also says the XFRM was disabled. But no place to enable?

Reply Children