Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 696 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF backend over IPsec tunnel

Jan W

Hello

Sophos XGS, 19.5 #1
WAN IP 1.2.3.4
local IP: 192.168.123.1

Sophos XGS, 19.5 #2
WAN IP: 2.3.4.5
local IP: 192.168.131.1

Webserver on #2
local IP: 192.168.131.110

Site2Site IPsec VPN between Sophos #1 and #2 is working.
You can ping and reach every service from #1 to #2 and #2 to #1

Ping from any client on site #1 to 192.168.131.110 (Webserver on #2) works 
Ping from Sophos #1 to 192.168.131.110 works

Configured a WAF on #1 with endpoint Webserver #2 
-> Error 503 Service Unavailable

Logfile /log/reverseproxy.log from sophos #1:

XGS2100_RL01_SFOS 19.5.0 GA-Build197 HA-Primary# tail -n 1000 reverseproxy.log | grep 192.168.131.110 
[Fri Jan 20 12:10:55.946508 2023] [proxy:error] [pid 3869:tid 140211480684288] (110)Connection timed out: AH00957: https: attempt to connect to 192.168.131.110:443 (192.168.131.110:443) failed
[Fri Jan 20 12:10:55.946546 2023] [proxy:error] [pid 3869:tid 140211480684288] AH00959: ap_proxy_connect_backend disabling worker for (192.168.131.110:443) for 60s
[Fri Jan 20 12:10:55.946554 2023] [proxy_http:error] [pid 3869:tid 140211480684288] [client x.x.x.x:14336] AH01114: HTTP: failed to make connection to backend: 192.168.131.110

What can solve this problem?

Thank you!

Jan



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Vishal_R 

    XGS2100_RL01_SFOS 19.5.0 GA-Build197 HA-Primary# ip route get 192.168.131.110
192.168.131.110 dev ipsec0 table 220 src 192.168.123.1 uid 0
cache

    The WAF has source on Port2 with is the WAN Port. is this the issuse? 

  • 0 in reply to Jan W

    Hi   Is System NAT Applied for 192.168.131.110 to NAT it via Firewall LAN Interface IP or any LAN device IP which is part of the tunnel network? If not yet applied then try the same as per the below KBA and confirm the status.

    Sophos XG Firewall: How to NAT Sophos Firewall generated traffic

    support.sophos.com/.../KB-000035607

  • 0 in reply to Vishal_R

    Hi

    There was no SNAT rule. I have now added one with following command:

    set advanced-firewall sys-traffic-nat add destination 192.168.131.0 snatip 192.168.123.1

    Result:

     NAT policy for system originated traffic
        ---------------------
        Destination Network     Destination Netmask     Interface       SNAT IP
        192.168.131.110         255.255.255.255                         192.168.123.1

    But it still does not work...

    Regards

    Jan

  • 0 in reply to Jan W

    Hi  : Thanks for sharing the latest update, After SNAT try to check TCPDUMP on both the XG during access WAF on WAF Server IP to confirm and validate more and if required you may log a support case to investigate it further and to conclude it.