Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 15502 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG blocking udp 6060 packets from STAS across ipsec tunnel/not working

Mast_01

Hello,

i have an XG in a branch office with a VPN tunnel to the main office with any-any rules both ways, main office has a UTM with the AD servers, stas is already configured there.

the fixes for the broken xg net to net vpn funcitonality are also applied(there's an ipsec route added for the entire main office network through the tunnel and also two NAT system policies for each DC for the DNS request routing bug)

for the STAS config:

in each DC i added the XG LAN IP as appliance in the STA collector page with subnet mask filter(for the remote subnet only)

added the remote subnet to the monitored list

but when i go to advanced and test connection to the appliance it fails.

when checking the XG FW log i see that the system is dropping UDP 6060 packets coming from the DC:

2017-04-06 11:27:35
Local ACL
Denied
-
0
ipsec0
-
10.10.10.35 :UDP (57577)
10.10.20.1 :UDP (6060)
  
02002


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Can you verify all the steps from this KBA here and post us pictures of the configurations.

    Thanks

  • 0 in reply to sachingurung

    Sachin,

    i didn't knew about that KB, i changed the collector to not filter by subnet and the only thing i was missing was the step 3.

    the STAS test connection still fails from both DCs.

    interesting, on the list of served appliances now one DC shows nothing and the other shows both Sophos appliances.

     

    Edit: it does not seem to be working, the users tab is empty and the authentication log is filled with failed auth for example:

    User mdb failed to login to Firewall through Local auth, the thing is that user is on the head office not the branch office, it also does it on another user that i logged on a branch office station.

Reply
  • 0 in reply to sachingurung

    Sachin,

    i didn't knew about that KB, i changed the collector to not filter by subnet and the only thing i was missing was the step 3.

    the STAS test connection still fails from both DCs.

    interesting, on the list of served appliances now one DC shows nothing and the other shows both Sophos appliances.

     

    Edit: it does not seem to be working, the users tab is empty and the authentication log is filled with failed auth for example:

    User mdb failed to login to Firewall through Local auth, the thing is that user is on the head office not the branch office, it also does it on another user that i logged on a branch office station.

Children
  • 0 in reply to Mast_01

    Hi,

    User mdb failed to login to Firewall through Local Auth, I think you need to drag the AD server on Top of Local Auth server in Authentication | Services | Authentication Server list | AD then Local. Make sure AD server is on TOP of the Local.

    Hope that helps.

  • 0 in reply to sachingurung

    Saching i forgot to mention that these errors are AFTER setting AD server on top for ALL auth services

  • 0 in reply to Mast_01

    I have the same problem on a single LAN with a single firewall.

    STAS is showing users, but the Sophos XG is dropping packets for UDP 6060 with Local_ACL error.

    The really annoying thing is there isn't a way to create a firewall rule for a destination of LOCAL, which we used to do on Cyberoams.

    Modifying the Device Access settings doesn't change the behaviour.

    UPDATE.

    I noticed in the packet capture that it was referencing a rule 4 as the source of the Local_ACL block.

    Rule 4 is a port forward for port 444 TCP from any zone to LAN.

    I modified the port forward to be for source WAN instead of ANY and now I have connectivity to the Sophos from STAS.

    Go figure...

  • 0 in reply to JonathanTrott

    Hi  

    Could you check if the CTA is added on the XG appliance console>system auth cta sh and is the address pingable from XG. Another test you may need to conduct is to check if the test from STAS is failed or passed.