Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 7434 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

site to site VPN result in lose connection to the UTM from remote site

wutevatse

we're using site to site VPN as the backup solution interoffice connection and using MPLS as the primary site to site connection. The routing decision is determined by our core switch. If the MPLS is functioning, the core switch will forward the traffic to the Router that's connected to the MPLS cloud and forward traffic to other offices. When the MPLS is down, the cores switch will loses those dynamic routes from its routing table. As a result, it uses its default route to forward traffic to the Sophos UTM. Sophos sees the traffic as site to site and forward the traffic via VPN tunnel to remote offices. When we were using Cisco ASA, the fail-over is completely automatic and we would not lose the connection to the Cisco ASA while MPLS is functioning and the VPN is up. Now that we are using the Sophos to terminate the VPN, we configured the VPN and keep the VPN enable, we lose connection to the Sophos from remote office, let's say, when I try to access the Sophos UTM in site B from site A, I will not able to. But I can only access the UTM from site B only.

the reason we lose the connection is because the traffic is not return the respond traffic the same way it gets the UTM. Instead, the traffic is going in a circle.

host A in site A > site A core switch >  MPLS cloud > site B coreswitch > UTM  > VPN  > site A UTM > core switch > host A

  • I have created a more specific route hoping this specific route will take over the route that the site to site VPN tunnel builts.  This does not work
  • I have tested with "Bind tunnel to local interface" option but that does work.

Any help would be appreciated!

Thanks.



This thread was automatically locked due to age.
Parents
  • 0
    Hi Bob,
    Thanks for replying to my question.
    I have OSPF configured to 3 UTMs and that did not help.

    Just to clarify, only internet connection for S2S VPN is physically connected to the UTM. The MPLS is connected to a router via another port from the core switch.

    Other points.
    When MPLS and VPN are up at the same time and Tunnel bind to local interface is checked. local site is able to connect to the UTM at remote site and the web hosted in the DMZ of the UTM.
    When Tunnel bind to local interface is unchecked, we lose connection to the UTM at remote site and the web hosted in the DMZ of the UTM. That's because the UTM pushes all the traffic through the VPN Tunnel.

    When the MPLS fails, all the interoffice traffic route through the S2S VPN tunnel, if the Tunnel bind to local interface is checked, traffic does not push through the VPN tunnel.
    It only works if the Tunnel bind to local interface is unchecked.

    For now, I can manage the UTM with their public IP address and enable all the vpn and left the Tunnel bind to local interface unchecked. this allow the failover to be completely automatic and I can still manage the UTM.
    but we're looking for a fully automatic fail-over solution, at the same time I can access the UTM via their internal IP address

    I'm not sure if there's any configuration that I can change to make this work or If this is how the UTM works then I will have to accept the fact or suggest this to Sophos Engineer team.

    Thanks for your time,
    Matt
Reply
  • 0
    Hi Bob,
    Thanks for replying to my question.
    I have OSPF configured to 3 UTMs and that did not help.

    Just to clarify, only internet connection for S2S VPN is physically connected to the UTM. The MPLS is connected to a router via another port from the core switch.

    Other points.
    When MPLS and VPN are up at the same time and Tunnel bind to local interface is checked. local site is able to connect to the UTM at remote site and the web hosted in the DMZ of the UTM.
    When Tunnel bind to local interface is unchecked, we lose connection to the UTM at remote site and the web hosted in the DMZ of the UTM. That's because the UTM pushes all the traffic through the VPN Tunnel.

    When the MPLS fails, all the interoffice traffic route through the S2S VPN tunnel, if the Tunnel bind to local interface is checked, traffic does not push through the VPN tunnel.
    It only works if the Tunnel bind to local interface is unchecked.

    For now, I can manage the UTM with their public IP address and enable all the vpn and left the Tunnel bind to local interface unchecked. this allow the failover to be completely automatic and I can still manage the UTM.
    but we're looking for a fully automatic fail-over solution, at the same time I can access the UTM via their internal IP address

    I'm not sure if there's any configuration that I can change to make this work or If this is how the UTM works then I will have to accept the fact or suggest this to Sophos Engineer team.

    Thanks for your time,
    Matt
Children
  • 0 in reply to wutevatse
    I consult for other resellers, Matt. One has a customer with four locations connected with MPLS. We haven't configured their backup VPN yet, but we are using the UTM in each location to handle both the MPLS and second ISP connections, already using Multipath. I think you might want to change your topology to be able to do what the article I linked to suggests. The Cisco ASA can't do everything the way the UTM does, and the UTM can't always do things the Cisco way - different tools, different ways to do things.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML