Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 901 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tunnel traffic - unable to access web admin for "HO" firewall (previously worked on UTM)

Aaron Becker

Trying to replace a BO UTM with a XG. Running into issues where allowed networks are not allowed to access the HO :4444 (or any other web traffic within the tunnel).

The issue effects all SSL/TLS traffic. Any web traffic (regardless of port) times out with the following packet logs:

Not sure if this is coincident, but we also get the logs littered with this:

Where 192.168.12.12 is the "public" side of the XG (this is a lab behind another router) and the public IP starting with 69. is the WAN of the HO. As a note: routing works fine and we are able to ping all of these IPs with zero issues. We also see the traffic hitting the HO firewall (and being accepted).

Any suggestions are welcomed.



This thread was automatically locked due to age.
Parents
  • 0

    Additional screenshots:

    This is the traffic successfully exiting the XG (allegedly) for tunnel-bound resources:

    And the logsof the traffic being "Accepted" on the HQ side (getting screenshots is impossible due to the issue without being at HQ)

    2022:08:24-15:08:35 firewallHQ ulogd[5683]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="60006" initf="eth1" srcmac="dd:3e:11:67:9f:d0" dstmac=xx:xx:xx:xx:xx:xx" srcip="192.168.125.60" dstip="192.168.64.130" proto="6" length="52" tos="0x02" prec="0x00" ttl="127" srcport="58488" dstport="4444" tcpflags="SYN"

    But we see the packet is accepted.

  • 0 in reply to Aaron Becker

    Hi Aaron Becker

    Both the sites have Sophos XG firewall ? and the current firmware version running on the appliance 

    Please share current settings done on Sophos XG please go to System -->Administration--->Device Access 

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Aaron Becker

    Hi Aaron Becker

    Both the sites have Sophos XG firewall ? and the current firmware version running on the appliance 

    Please share current settings done on Sophos XG please go to System -->Administration--->Device Access 

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to Bharat J

    The HQ is a UTM and this configuration works with 0 issues when both sites were on UTM FWs.

    As you can *clearly* see in the above log line (repasted here for clarity) the packets are accepted at the UTM.

    This is occurring with *all* TLS traffic, not just web admin (4444) traffic. See the "packet accepted" below. The UTM equivalent of "device access" is not the culprit.

    2022:08:24-15:08:35 firewallHQ ulogd[5683]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="60006" initf="eth1" srcmac="dd:3e:11:67:9f:d0" dstmac=xx:xx:xx:xx:xx:xx" srcip="192.168.125.60" dstip="192.168.64.130" proto="6" length="52" tos="0x02" prec="0x00" ttl="127" srcport="58488" dstport="4444" tcpflags="SYN"

Unfiltered HTML