Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 25411 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot connect to AD server across IPSec VPN...

RoccoCapra

Trying to connect my XG to AD server across an IPSec VPN connection and getting "Test connection failed as server is down or unreachable."

I've tried all three connection methods (simple, SSL, TLS) and get same error. Pretty sure it has something to do with the AD server being in the VPN zone and not on the local network.

Can't seem to figure out how to point traffic to port 386/686 across the VPN to the AD server. 

Or is there something else I need to do?

I've confirmed NETBIOS name, full domain name, and IP of the server. As well as ADS username and password.

[edit]

All PC's on the network can authenticate to the AD server across the VPN. 



This thread was automatically locked due to age.
  • 0

    Rocco,

    can you share the IPSec configuration on both side? The port should be 389. Is the Windows Firewall running on DC server?

    Telnetting the AD server from XG to port 389, does it work? Did you create a DNS request routing ?

    Thanks.

  • 0 in reply to lferrara

    I can't even ping the AD server from the XG firewall. I can ping the AD Server from a PC that in on the network connected to the Sophos XG. I can also telnet to the server from a PC, but CANNOT telnet from the XG firewall??

    Am I missing some rule on the firewall?

    This is my current rule set::

  • 0 in reply to RoccoCapra

    Rocco,

    open an SSH on XG and once you have choosen option 4 type: drop-packet-capture "host ADserver" and then try to ping or add AD server on XG.

    Check if packets are dropped or post the result.

    Thanks.

  • 0 in reply to RoccoCapra

    Rocco,

    the command is wrong. The correct one is: drop-packet-capture "host 192.168.251.2"

    Thanks.

  • 0 in reply to lferrara

    Still no go. Same result when trying to add the server on XG. and still can't ping.

  • 0 in reply to RoccoCapra

    Rocco,

    what is the output of the drop command?

    Thanks.

  • 0 in reply to lferrara

    Oh, um,

    It just stays like the pic here with a blinking cursor right below the "c" in "[console>". So while it is sitting like this I tried to ping and read the server to no avail.  Im waiting at least 5 minutes until I hit CTL+C to get back to the prompt.

    I'm guessing now that this is not what the result should be. Or should I be waiting longer for a result to show up?

  • 0 in reply to RoccoCapra

    Finally got someoutput...

    Sophos Firmware Version SFOS 15.01.0 MR-2 

    console> drop-packet-capture "host 192.168.251.2"

    2016-05-05 17:09:18 0102021 IP 172.16.9.120.50089 > 192.168.251.2.445 : proto TCP: P 2410569891:2410569963(72) win 64 checksum : 41866

    0x0000:  4500 0070 189a 4000 8006 70ba ac10 0978  E..p..@...p....x

    0x0010:  c0a8 fb02 c3a9 01bd 8fae 60a3 3282 c102  ..........`.2...

    0x0020:  5018 0040 a38a 0000 0000 0044 fe53 4d42  P..@.......D.SMB

    0x0030:  4000 0100 0000 0000 0400 0100 0800 0000  @...............

    0x0040:  0000 0000 2800 0000 0000 0000 fffe 0000  ....(...........

    0x0050:  0100 0000 5500 0010 0304 0000 121f 11a9  ....U...........

    0x0060:  0ffe 62a6 df79 36ba 449f e11a 0400 0000  ..b..y6.D.......

    Date=2016-05-05 Time=17:09:18 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=dc:53:60:83:18:14 dest_mac=00:1a:8c:50:f6:e4 l3_protocol=IP source_ip=172.16.9.120 dest_ip=192.168.251.2 l4_protocol=TCP source_port=50089 dest_port=445 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2016-05-05 17:09:19 0102021 IP 172.16.9.120.50089 > 192.168.251.2.445 : proto TCP: P 2410569891:2410569963(72) win 64 checksum : 41866

    0x0000:  4500 0070 18af 4000 8006 70a5 ac10 0978  E..p..@...p....x

    0x0010:  c0a8 fb02 c3a9 01bd 8fae 60a3 3282 c102  ..........`.2...

    0x0020:  5018 0040 a38a 0000 0000 0044 fe53 4d42  P..@.......D.SMB

    0x0030:  4000 0100 0000 0000 0400 0100 0800 0000  @...............

    0x0040:  0000 0000 2800 0000 0000 0000 fffe 0000  ....(...........

    0x0050:  0100 0000 5500 0010 0304 0000 121f 11a9  ....U...........

    0x0060:  0ffe 62a6 df79 36ba 449f e11a 0400 0000  ..b..y6.D.......

    Date=2016-05-05 Time=17:09:19 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=dc:53:60:83:18:14 dest_mac=00:1a:8c:50:f6:e4 l3_protocol=IP source_ip=172.16.9.120 dest_ip=192.168.251.2 l4_protocol=TCP source_port=50089 dest_port=445 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3472328295419215872 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2016-05-05 17:09:22 0102021 IP 172.16.9.120.50089 > 192.168.251.2.445 : proto TCP: P 2410569891:2410569963(72) win 64 checksum : 41866

    0x0000:  4500 0070 18b9 4000 8006 709b ac10 0978  E..p..@...p....x

    0x0010:  c0a8 fb02 c3a9 01bd 8fae 60a3 3282 c102  ..........`.2...

    0x0020:  5018 0040 a38a 0000 0000 0044 fe53 4d42  P..@.......D.SMB

    0x0030:  4000 0100 0000 0000 0400 0100 0800 0000  @...............

    0x0040:  0000 0000 2800 0000 0000 0000 fffe 0000  ....(...........

    0x0050:  0100 0000 5500 0010 0304 0000 121f 11a9  ....U...........

    0x0060:  0ffe 62a6 df79 36ba 449f e11a 0400 0000  ..b..y6.D.......

    Date=2016-05-05 Time=17:09:22 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=dc:53:60:83:18:14 dest_mac=00:1a:8c:50:f6:e4 l3_protocol=IP source_ip=172.16.9.120 dest_ip=192.168.251.2 l4_protocol=TCP source_port=50089 dest_port=445 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3472328295419215872 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2016-05-05 17:09:26 0102021 IP 172.16.9.120.50089 > 192.168.251.2.445 : proto TCP: P 2410569891:2410569963(72) win 64 checksum : 41866

    0x0000:  4500 0070 18ce 4000 8006 7086 ac10 0978  E..p..@...p....x

    0x0010:  c0a8 fb02 c3a9 01bd 8fae 60a3 3282 c102  ..........`.2...

    0x0020:  5018 0040 a38a 0000 0000 0044 fe53 4d42  P..@.......D.SMB

    0x0030:  4000 0100 0000 0000 0400 0100 0800 0000  @...............

    0x0040:  0000 0000 2800 0000 0000 0000 fffe 0000  ....(...........

    0x0050:  0100 0000 5500 0010 0304 0000 121f 11a9  ....U...........

    0x0060:  0ffe 62a6 df79 36ba 449f e11a 0400 0000  ..b..y6.D.......

    Date=2016-05-05 Time=17:09:26 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=dc:53:60:83:18:14 dest_mac=00:1a:8c:50:f6:e4 l3_protocol=IP source_ip=172.16.9.120 dest_ip=192.168.251.2 l4_protocol=TCP source_port=50089 dest_port=445 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3472328295419215872 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2016-05-05 17:09:36 0102021 IP 172.16.9.120.50089 > 192.168.251.2.445 : proto TCP: R 2410569963:2410569963(0) checksum : 38167

    0x0000:  4500 0028 18d8 4000 8006 70c4 ac10 0978  E..(..@...p....x

    0x0010:  c0a8 fb02 c3a9 01bd 8fae 60eb 3282 c102  ..........`.2...

    0x0020:  5014 0000 9517 0000 0000 0000 0000       P.............

    Date=2016-05-05 Time=17:09:36 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=dc:53:60:83:18:14 dest_mac=00:1a:8c:50:f6:e4 l3_protocol=IP source_ip=172.16.9.120 dest_ip=192.168.251.2 l4_protocol=TCP source_port=50089 dest_port=445 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3616444802050031616 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A