Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1762
Views
0
Helpful
3
Replies

WAAS Infrastructure with Sophos UTM

Robert Voigtlaender
Level 1
Level 1

‎06-05-2018 08:17 AM - edited ‎03-01-2019 09:35 AM

Hi all,

 

we replaced our old ASA 5510 with a new Sophos SG230 appliance and can not get the exisitig WAAS infrastructure to work correctly. To simplify the setup:

 

LAN->WAVE-574 L0-WAVE-574 W0->Sophos->VPN TUNNEL->Sophos router->WAVE-474->remote LAN

Inception: Inline

 

As the Sophos has issues with the manipulated tcp sequence numbers, etc., i have enabled directed mode on the device group via the central manager and i see traffic flowing through the WAVE but the connection on the remote site does not work as expected. I can not reach remote resources and have got entries in the firewall log which look like "swapped" src/dst ports (e.g. connect to printer webinterface originating from port 80 and going to an random port).

 

Do i need to assign an IP address to the inline interface group? If so, how to do this? I tried, but got an error because the mgmt interface is in the same subnet?!

 

Has someone got this setup working with Sophos?

 

Thanks in davance guys!

Cheers

Bartosch

Labels:
0 Helpful
3 Replies 3

Beau Clark
Level 1
Level 1

‎06-05-2018 08:52 AM

Not much can be done on the Cisco side of this. On an ASA firewall, you simply add the "inspect WAAS" to your global policy. On the Sophos side, you will have to open a ticket with Sophos and ask them how to turn off "stateful inspection" of your specific traffic. 

0 Helpful

Robert Voigtlaender
Level 1
Level 1
In response to Beau Clark

‎06-05-2018 09:00 AM

Hi Beau Clark,
yeah thanks for the ASA advice – we had that. My question was pointed more on the directed mode as this is the way to circumvent this issues if I get it right.
0 Helpful

Beau Clark
Level 1
Level 1
In response to Robert Voigtlaender

‎06-05-2018 10:58 AM

The WAN accelerators renumber the tcp packets to identify a WAAS peer on the other end. Firewalls (in general) see this traffic as not sequenced tcp traffic. So all firewalls that do "stateful inspection" will drop these packets, you could create a permit ip any any rule and this traffic would still be dropped. So when you talk to Sophos, tell them you want to turn off "stateful inspection" for this traffic. 

 

Try this:

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/92313/strange-drops

Rules here:

set advanced-firewall bypass-stateful-firewall-config add source_network 10.10.90.0 source_netmask 255.255.255.0 dest_network 10.10.10.0 dest_netmask 255.255.255.0

set advanced-firewall bypass-stateful-firewall-config add source_network 10.10.10.0 source_netmask 255.255.255.0 dest_network 10.10.90.0 dest_netmask 255.255.255.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents