This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT Traffic (UDP 500/4500) - connection is disturbed and breaks frequently

JuergenB over 2 years ago

Hello,

we use Microsoft Always On for all Home Office Users.

The clients connect to a public IP of our XGS2100.

The Firewall uses a symetric Fibre connection (100MBit) from German Telekom.

XGS has NAT and forwarding rule to the internal RAS/VPN Server for UDP 500/4500.

SSL/TLS is currently disabled, IPS is disabled for this firewall rule at console level.
I tried some QoS Rules, no luck.

In the last days, we had massiv problems with the connection (started after migration to 19.5.1 a few weeks ago).

Is there anything else i could verify/change at Firewall (XGS 19.5.1)?
I have a ticket with sophos and the Technical Support Engineer couldn´t find any problem within the firewall.

He checked the rules, did some tracedumps at cli, check drops, etc...

As a workaround i switched the Public IP and the RAS/VPN Server to a pfsense firewall.

Thanks

Jürgen

This thread was automatically locked due to age.

Parents

0 ErickJan over 2 years ago

Hi,

Thank you for reaching out to Sophos Community.

Can you share the case ID

Also, can you share the information with the initial troubleshooting such as log viewer,dgd.log etc

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 JuergenB over 2 years ago in reply to ErickJan

Ticket would be 06343445,

he checked all sort of logs and settings in a remote session. He didn´t find any errors at all, he recommended to check the RAS/VPN in a different setup. That´s what currently works fine (NAT with a pfsense firewall).

Ticket is still open.
Cancel
Vote Up 0 Vote Down

Cancel
0 ErickJan over 2 years ago in reply to JuergenB

Hi JuergenB,

Thank you for sharing the case ID. Let us have a look at this.

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 ErickJan over 2 years ago in reply to JuergenB

Hi JuergenB,

Upon checking the case. The case owner is inquiring about a schedule to do a remote session

" can also schedule a remote session and a call again to perform the test while the connection is via Sophos to test and do some packet captures while connecting to the server".

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ErickJan over 2 years ago in reply to JuergenB

Hi JuergenB,

Upon checking the case. The case owner is inquiring about a schedule to do a remote session

" can also schedule a remote session and a call again to perform the test while the connection is via Sophos to test and do some packet captures while connecting to the server".

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 JuergenB over 2 years ago in reply to ErickJan

Hi,

today i create a ref. setup with sophos firewall and a new RAS/VPN Server (3, Win 2022) .

The old solution was not working properly if going through Sophos Firewall.
This was tested with a RAS/VPN Server (1, Win 2019) and RAS/VPN Server (2, Win 2022).

With RAS/VPN Server (2, Win 2022) going through pfsense all seems fine right now.

I will get a setup with a new RAS/VPN Server (3, Win 2022) going through Sophos.
So the old RAS/VPN Server (1, Win 2019) will not be involed at all.

I will test today with a remote client.
Cancel
Vote Up 0 Vote Down

Cancel
0 sdengscherz over 2 years ago in reply to ErickJan

Hello there, can you please update here with any clues? We have a similar Problem - external Clients using CheckPoint VPN (IPSec) cannot connect to their HQ over the Sophos XG. The IPSec tunnel doesn't even get established. Remote HQ Firewall says "malformed packet" - we have disabled TLS/IDS/etc. on the affected Firewall-Rule.
Cancel
Vote Up 0 Vote Down

Cancel
0 ErickJan over 2 years ago in reply to sdengscherz

Hi,

Can you share your error logs and case ID.

You may also refer to the following KB with regard to the malformed packet

"Error on decryption of the exchange\ Information field of the IKE request is malformed or not readable."

Troubleshooting site-to-site IPsec VPN

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel