WAF backend over IPsec tunnel

Question

Hello 
 Sophos XGS, 19.5 #1 WAN IP 1.2.3.4 local IP: 192.168.123.1 
 Sophos XGS, 19.5 #2 WAN IP: 2.3.4.5 local IP: 192.168.131.1 
 Webserver on #2 local IP: 192.168.131.110 
 Site2Site IPsec VPN between Sophos #1 and #2 is working. You can ping and reach every service from #1 to #2 and #2 to #1 
 Ping from any client on site #1 to 192.168.131.110 (Webserver on #2) works Ping from Sophos #1 to 192.168.131.110 works 
 Configured a WAF on #1 with endpoint Webserver #2 -> Error 503 Service Unavailable 
 Logfile /log/reverseproxy.log from sophos #1: 
 XGS2100_RL01_SFOS 19.5.0 GA-Build197 HA-Primary# tail -n 1000 reverseproxy.log | grep 192.168.131.110 
[Fri Jan 20 12:10:55.946508 2023] [proxy:error] [pid 3869:tid 140211480684288] (110)Connection timed out: AH00957: https: attempt to connect to 192.168.131.110:443 (192.168.131.110:443) failed
[Fri Jan 20 12:10:55.946546 2023] [proxy:error] [pid 3869:tid 140211480684288] AH00959: ap_proxy_connect_backend disabling worker for (192.168.131.110:443) for 60s
[Fri Jan 20 12:10:55.946554 2023] [proxy_http:error] [pid 3869:tid 140211480684288] [client x.x.x.x:14336] AH01114: HTTP: failed to make connection to backend: 192.168.131.110 
 What can solve this problem? 
 Thank you! 
 Jan

Vishal_R · Answer

Hi Jan W Is System NAT Applied for 192.168.131.110 to NAT it via Firewall LAN Interface IP or any LAN device IP which is part of the tunnel network? If not yet applied then try the same as per the below KBA and confirm the status. 
 Sophos XG Firewall: How to NAT Sophos Firewall generated traffic 
 support.sophos.com/.../KB-000035607

WAF backend over IPsec tunnel

Top Replies