Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 33 replies
  • Subscribers 29 subscribers
  • Views 2772 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Traffic gets routed in full-tunnel IPsec VPN

Tobias Kuhnert

hi there,

since we upgraded our XG to 18.0.4 we have an issue with the traffic (e.g. DNS / icmp) originated from the firewall itself.

We have a full-tunnel IPsec VPN configured for all client subnets to our data center and it seems that routing for the firewall itself is broken now.

SG230_WP02_SFOS 18.0.4 MR-4# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

------------

SG230_WP02_SFOS 18.0.4 MR-4# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
1 x.x.x.x (IP of Remote VPN-Gateway) 11.644 ms * *
2 * * *
3 * x.x.x.x (IP of Remote VPN-Gateway) 11.576 ms 37.854 ms

------------

SG230_WP02_SFOS 18.0.4 MR-4# nslookup www.google.de
;; connection timed out; no servers could be reached

------------

I know there is a KB article (Sophos XG Firewall: How to Route Sophos Firewall Initiated Traffic Through an IPSec VPN tunnel), but my issue is the exact opposit.
i do not have any rules like described configured.
------------

edit: Output of route lookup:

Route lookup Result
8.8.8.8 is located on the ipsec0
8.8.8.8 is not behind a router.

------------

Anybody had similar issues or any idea how to solve this?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi  : Thank you for reaching out to Sophos community team. What is the route precedence set over XG as of now? 

    The default route precedence in 18.0 is set to static, SD-WAN policy routes, and VPN. Can you please check the below KBA for reference steps and set the route precedence to it's default V18 settings, if it not set.
     
    https://support.sophos.com/support/s/article/KB-000037964?language=en_US

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/ConfiguringRoutePrecedence.html

    Note: You may test it in odd hours for safer side to avoid any outage or issue.

  • 0 in reply to Vishal_R

    console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. SD-WAN policy routes
    3. VPN routes

  • 0 in reply to Tobias Kuhnert

    220 should print out all remote networks of your IPSec tunnel. But maybe in your case you do not need access from there to remote networks (e.g. HQ networks), only the other way around. So it may be empty.

    The only difference in your config I could find is the routin precedence:

    Default routing Precedence:
    1.  SD-WAN policy routes
    2.  VPN routes
    3.  Static routes

    yours:
    Routing Precedence:
    1. Static routes
    2. SD-WAN policy routes
    3. VPN routes

    We have no SD-WANs

    We have VPN routes (but only to the 220 networks, no WAN routes)

    -> system ipsec_route show

    You say your static routes are empty. And so are ours.

    It's worth a try to change that precedence.

    Maybe ca have a review on your NAT/SNAT config?

  • 0 in reply to LHerzog

    and please be sure that you don't have bad SNAT here:

    console> show advanced-firewall

    ...

    NAT policy for system originated traffic
    ---------------------
    Destination Network Destination Netmask Interface SNAT IP

    interesting stuff here

  • 0 in reply to LHerzog

    I am not sure right now, which will be applied first. If you change the Traffic via a NAT Rule, if the traffic will hit the IPsec0 Interface or if the routing decision will be applied after the NAT. I assume its the NAT part. Having said, this is rather a problematic construct, as the firewall is doing what you tell the firewall to do. It NATs the traffic to ANY into the tunnel. 

    I would assume, you should think about the setup in the first place, if remote subnet should be ANY and cannot be more specific? 

  • 0 in reply to LuCar Toni

    one thing to point out: We do not apply NAT to any traffic in the tunnel.

    we have a local subnet 10.64.0.0/21 and the remote subnet is any or 0.0.0.0/0 - no NAT applied

    we need the full tunnel because web-security is currently applied in the HQ.

    the only NAT rule i have is from LAN to WAN zone for direct internet access if the tunnel fails.

  • 0 in reply to LHerzog

    console> show advanced-firewall
    NAT policy for system originated traffic
    ---------------------
    Destination Network Destination Netmask Interface SNAT IP

    ... list is empty

  • 0 in reply to Tobias Kuhnert

    Somehow the XG uses 0.1 as a outgoing IP. This is configured by somebody. Please review the NAT page and check all rules. 

  • 0 in reply to LuCar Toni

    please see the NAT rules below. i can't see anyhting wrong here.

    you may ignore rule 1 - this is a workaround to have the DNS server function working for 1 client - does not make difference if i delete/disable it.

  • 0 in reply to Tobias Kuhnert

    Do you use NAT on the IPSec setup? The Checkbox? 

    PS: What is the issue, if you wants to use the IPsec Tunnel for everything? I mean, if Security is done on the peer site, you can also give the DNS etc. to them? 

  • 0 in reply to LuCar Toni

    not checked

    sure i could allow the XG traffic on the peer side - that would be the easy way.

    but i don't get why an update of the firewall changes the routing in a way that all my security policies on the peer side need to be edited.

    and i would expect the XG firewall system to be configurable in the way i want it... and since is was working before in that way, i would rather find the cause of the issue and solve it

  • +1 in reply to Tobias Kuhnert

    Basically there were couple fixes of certain behaviors and fixed issues. Some of them caused some weird behavior. And i assume, you saw this in the old version. Now it is doing exactly what the firewall should do. Send everything to the peer end. 

    To change this, its not that easy, as its system generated traffic. System generated traffic is a special use case in Firewall business. The firewall can apply Sd-WAN PBR rules to it. But as you use ANY, it would overwrite your VPN rule and would destroy your deployment. 

    I cannot think of a valid configuration yet for your setup. The use case is not valid right now, because why would you want to use the local breakout for DNS and request everything to the peer end? 

Reply
  • +1 in reply to Tobias Kuhnert

    Basically there were couple fixes of certain behaviors and fixed issues. Some of them caused some weird behavior. And i assume, you saw this in the old version. Now it is doing exactly what the firewall should do. Send everything to the peer end. 

    To change this, its not that easy, as its system generated traffic. System generated traffic is a special use case in Firewall business. The firewall can apply Sd-WAN PBR rules to it. But as you use ANY, it would overwrite your VPN rule and would destroy your deployment. 

    I cannot think of a valid configuration yet for your setup. The use case is not valid right now, because why would you want to use the local breakout for DNS and request everything to the peer end? 

Children