Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 29 subscribers
  • Views 810 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec between XGS an UTM not working - only on-way traffic

jk1984

We have an XGS (v19) in the head office and a UTM in the branch, which initiates the connection. The tunnel itself is up, firewall rules are in place allowing any to any between the office networks.

Funny thing is, that the traffic from the branhc comes through, but the other way around seems broken. I cannot ping unless I add a route via shell  ("ipsec_route add"), but if I remember correctly that should not be necessary as the routes should be added automatically on creation fo the tunnels.



This thread was automatically locked due to age.
  • 0

    Hi It may possible some SD-WAN rule on HO is present for the local LAN (which is a remote network for UTM BO over the VPN) with destination Any and Service Any which is forwarding traffic over SD-WAN for IPsec reply just because SD-WAN has higher precedence over static and VPN in the HO XG. Tweaking route precedence may help or fix the issue.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0

    we had a similar issue last week. a tunnel between XGS and UTM was up fine but traffic was only going over the tunnel, when enabling compression on both ends:

  • 0

    We deleted and redid the tunnel (with the same settings!) and voila pinging worked out of the box and without the extra route...

    But we still have issues traffic over the tunnel but only with some of it... SIP and ActiveDirectory stuff seems to go through fine, HTTP on the other hand is broken. E.g. when I try to reach a NAS in the branch office from the main, we (sometimes) get the cert warning and after that the loading icon is spinning to eternity.

    Could this also be some sort of MTU issue?

    @Vishal: precedence is ipsec, static, sd-wan. We have two sd-wan rules, which only target SIP and SMTP going out specific WAN interfaces.

    @LHerzog: Did you see no traffic at all or only some of it? We will try the compression setting anyway :-)

  • 0 in reply to jk1984

    some of it. and some of it was sometimes working, sometimes not. i could not figure it out. IPsec was up and no errors in the logs.

    Our partner had that brilliant idea that fixed it. His first idea was to use the SHA2 with 96 bit truncation option on XGS side but with that, the tunnel did not get come up

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?