Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1778 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall not routing correctly over IPSec VPN

Szymon Sikorski

Hi,

I have a VPN connection built from a Sophos XG at the branch and a Palo Alto on the data center end. The VPN is established however, there seems to be some weird routing issues. Both ends have access rules to allow the traffic both ways. Despite the VPN tunnel being up I can't ping across it.

The symptoms I'm seeing are very weird. The VPN tunnels aren't installing routes into the routing table. I had to manually add the remote data center subnet into the vpn tunnel using the system ipsec_route add net command. I now get a ping response every 50 pings or so but when looking at the traffic logs and doing traceroutes, the firewall send the other 49 pings out via the internet connection. For some reason it doesn't realise they need to go over the VPN. The route precedence is also said to prioritise VPN routes.

Has anybody else had this issue?

THanks

Szymon



This thread was automatically locked due to age.
  • 0

    Hi : Thank you for reaching out to the Sophos community team. Based on the issue description seems you are using a Policy-based IPsec VPN. For this one, you do not require to add any manual IPsec route. Ideally, PING from any mentioned source network machine to destination network machine should work if the required rule with required services is there. If it is not working on your XG that could be another configuration overriding the routing decision or doing NAT for outbound traffic etc due to which PING over IPSec not happening. Without adding the CLI route, You may generate PING from any machine and during that time you may capture TCPDUMP on GUI packet capture, drop, and Conntrack to see which rule id traffic is passing and based on that you may drive the troubleshooting further.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?