Register Now


Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

Troubleshooting Steps When Traffic Is Not Passing through IPSEC VPN Tunnel

Here in this article, we will troubleshoot the issue when traffic from one end of the tunnel is not passing to other end of the tunnel through IPSEC VPN even after tunnel is up.

Note: Whenever tunnel is up and traffic is not flowing, never focus on logs just focus on capture, firewall rules and NAT rules.

Before troubleshooting the actual issue, first make sure you have configured IPSEC VPN tunnel properly. You can use following article for the same:

IPSEC VPN configuration

Here is the network diagram:

Network Diagram


Login to the sophos firewall GUI and click on Administration tab and then click on device access page. Check ping is enabled in the VPN zone. To ping from one end of the tunnel to other end of the tunnel ping must be enabled in the VPN zone as shown in below image

ping enable


There will be three types of routes in sophos Xg firewall.

1.Static Routes

2. VPN routes

3. SD WAN policy routes

IPSEC VPN routes fall under VPN routes. Suppose, there is a sd wan policy route and vpn route matching the same traffic and if SD wan policy has high priority than VPN routes, traffic will take the WAN connection instead of IPSEC tunnel. To increase the priority of VPN connection, follow the below instructions.

Login to the sophos XG firewall CLI, and type option “4”. You will enter to Device Console tab.

cli options
Device Console

Once you enter device console execute “system route_precedence show” command to check the routing order

ipsec route show
route precedence

Now our requirement is to keep VPN routes on high priority. For that execute this command “system route_precedence set vpn static sdwan_policyroute” and execute “system route_precedence show” command again. This time, VPN routes will take high priority as shown in below image

ipsec route set
route precedence


Sometimes, even if tunnel is up, IPSEC route will not be created to destination IP address. You can check by typing this below command in the sophos XG firewall console “system ipsec_route show

ipsec route show
ipsec route

In these type of cases, traffic instead of flowing through the IPSEC tunnel. It will flow through the normal WAN connection. To avoid this scenario, you can add IPSEC route to the destination by typing this command “system ipsec_route add net tunnelname SiteA_SiteB

In the above command, replace with your remote network IP address. In this case, i should keep and in the tunnel name replace SiteA_SiteB with IPSEC tunnel name.

Ipsec route add
ipsec route add

Now all the ipsec traffic will be routed through the IPSEC tunnel


Thumb rule of VPN is traffic going through tunnel must be never NATed to the public IP of the firewall. In case if the traffic is getting NATed other end of the firewall will drop the traffic.

To check that Initiate continuous ping from to the take the packet capture under Diagnostics >> packet capture and keep the filter as host (destination IP) as shown in image below

Packet capture
packet capture

You can find traffic will be NATed to public IP of the firewall whenever it is going out of the IPSEC, that should not happen. So to avoid that scenario, identify the LAN to VPN firewall rule and click on create linked NAT rule as show below image

Firewall rule
Linked Nat rule

It will open page like below, in place of translated SNAT keep it as original. So that all the traffic which pass through IPSEC tunnel will not get NATed

Linked nat rule
Translated SNAT

Once you save it, it might not update at that instant itself and there is a possibility that connection still matching another NAT rule. To prevent it, login to sophos XG firewall CLI and access advanced shell (option 5).

Execute this command “conntrack -F” as shown below


The moment you execute this command all existing connections in firewall will be disconnected and reestablished again. From the next IPSEC packet traffic will match to newly created NAT rule which will do no NAT (translated SNAT as original )and issue will be resolved.

Hope this article helps you.