XGS 2100 Loopback NAT

Why do you need a loop back in the first place? Still not sure, whats the actual use case? 

We have cloud servers (RDS) that need to be able to connect to servers in the same network using either the public DNS name or the public IP address.  We currently have Sophos SG firewalls here that have no problem accomplishing this task and every other firewall vendor I have ever used has no issue with loopback/hairpinning. I believe at one point I also had this working on an XG firewall. 

Without loopback working these firewalls will not be a fit for our deployment and we will have to stay with the SGs.  

Odd enough, that you are not seeing any connection, i have a feeling about this: The firewall rule, you are using: Is it the same firewall rule, you are using from external to internal (DNAT) and do you have anything other selected there? For example web filtering or scanning of web etc? 

Yes the Firewall rule is is the Same for the External to internal DNAT (seen above).  There are no services enabled only logging turned on

And this rule, beside of the actual small counter, works from external. Because i would expect more data to flow, if you are talking about HTTP. 

I am oddly confused, that the connection is not loaded in the conntrack. That should be there. You should see the connection in Conntrack. But you see the connection in the logviewer, correct? The NAT and Firewall rule is fine there? You should see it via mouse over.

To summarize: Without SNAT i cannot work. There has to be a SNAT, otherwise it wont work. But the SNAT, however does not hit, no matter what you configure. 

The counter is not increasing on the rule but is on the NAT rule. No I am not seeing the traffic in the logviewer.  I'm just as confused as from this machine I can hit the Management using the WAN IP Address of .2 and it comes up like I am on the inside network which I am.

I have the strong feeling there is something odd going on in your setup. You should contact support to get this more analyzed. I think, there is something going on, which is oddly enough.

Do you have multiple HA Clusters in your setup? 

I already have a ticket open with support for this issue. This is the only HA cluster we have other than the SG cluster that is being replaced by these ones. Originally I was having issues with traffic between VLANs but that was corrected by MR1. I won't be able to put these into production until I can get this fixed.

I appreciate and thank you for the time you have taken to try to assist.

Go to the HA Cluster Config and change the Cluster ID. 

Done but made no difference

You could try to figure out, why conntrack is not showing anything. Because even conntrack -L should show some connections. At least the connection build up. 

Hi Robert Reid,

Could you please provide the support ticket number by sending a personal message? I will follow up with it internally and provide you an update.

Thanks,

Hi Robert Reid,

Could you please provide the support ticket number by sending a personal message? I will follow up with it internally and provide you an update.

Thanks,