Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 29 subscribers
  • Views 811 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec between XGS an UTM not working - only on-way traffic

jk1984

We have an XGS (v19) in the head office and a UTM in the branch, which initiates the connection. The tunnel itself is up, firewall rules are in place allowing any to any between the office networks.

Funny thing is, that the traffic from the branhc comes through, but the other way around seems broken. I cannot ping unless I add a route via shell  ("ipsec_route add"), but if I remember correctly that should not be necessary as the routes should be added automatically on creation fo the tunnels.



This thread was automatically locked due to age.
Parents
  • 0

    We deleted and redid the tunnel (with the same settings!) and voila pinging worked out of the box and without the extra route...

    But we still have issues traffic over the tunnel but only with some of it... SIP and ActiveDirectory stuff seems to go through fine, HTTP on the other hand is broken. E.g. when I try to reach a NAS in the branch office from the main, we (sometimes) get the cert warning and after that the loading icon is spinning to eternity.

    Could this also be some sort of MTU issue?

    @Vishal: precedence is ipsec, static, sd-wan. We have two sd-wan rules, which only target SIP and SMTP going out specific WAN interfaces.

    @LHerzog: Did you see no traffic at all or only some of it? We will try the compression setting anyway :-)

  • 0 in reply to jk1984

    some of it. and some of it was sometimes working, sometimes not. i could not figure it out. IPsec was up and no errors in the logs.

    Our partner had that brilliant idea that fixed it. His first idea was to use the SHA2 with 96 bit truncation option on XGS side but with that, the tunnel did not get come up

Reply
  • 0 in reply to jk1984

    some of it. and some of it was sometimes working, sometimes not. i could not figure it out. IPsec was up and no errors in the logs.

    Our partner had that brilliant idea that fixed it. His first idea was to use the SHA2 with 96 bit truncation option on XGS side but with that, the tunnel did not get come up

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?