Trouble Accessing Specific IP Behind Sophos Firewall in Multi-VPC Environment – Need Assistance!


Hello all,

I hope you're all doing well! I'm currently facing a perplexing issue in our multi-VPC setup, and I'm hoping someone with experience in network configurations can shed some light.

We have three VPCs (vpcA, vpcB, vpcC) interconnected through a transit gateway, and all traffic is allowed through our Sophos firewall. Strangely, we're encountering difficulties accessing a specific IP address (example: from within these VPCs, even though ping tests to the same IP address seem to be successful.

Has anyone experienced a similar issue before, where certain IP addresses cannot be accessed despite a seemingly open firewall policy? What troubleshooting steps or configurations should I be checking within the Sophos firewall or AWS networking setup to diagnose and resolve this problem?

Any insights, suggestions, or past experiences with similar challenges would be greatly appreciated. Thank you in advance for your assistance!

  • A network diagram would be usefull and where the source/destination is and where your Sophos Firewall is in the path

2 Answers

Arhh.. The first thing that jumps out is Asymetric routing. Something to check:-

Traffic in appliance mode is routed correctly as long as the source and destination traffic are coming to a centralized VPC (Inspection VPC) from the same transit gateway attachment. Traffic can drop if the source and destination are entering from two different transit gateway attachments.

When appliance mode is enabled, a transit gateway selects a single network interface in the appliance VPC, using a flow hash algorithm, to send traffic to for the life of the flow. The transit gateway uses the same network interface for the return traffic. This ensures that bidirectional traffic is routed symmetrically—it's routed through the same Availability Zone in the VPC attachment for the life of the flow. If you have multiple transit gateways in your architecture, each transit gateway maintains its own session affinity, and each transit gateway can select a different network interface.

If your VPC attachments span multiple Availability Zones and you require traffic between source and destination hosts to be routed through the same appliance for stateful inspection, enable appliance mode support for the VPC attachment in which the appliance is located.

EDIT Disable source/destination checks

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.

profile picture
answered 3 months ago
  • I enabled appliance mode support for the vpcC attachment. The connection is still not working. Also, into the Diagnostics of the Sophos Firewall I saw that traffic goes only through only 1 Sophos instance.

  • Theres 1 more thing to check. You must disable source/destination check

  • How are you gettign on?

  • Still no luck. I'm using AWS Managed service for NAT - NAT Gateway. So, the source/destination check should be disabled.

  • Now I tested if this works when we bypass the Sophos Firewall. This way is working. So, the issue is with Sophos Firewall.


Enter image description here

Source: Test EC2 Instance Destination:

Traffic is logged into the firewall as DENIED and sometimes ALLOWED.

Similar to this

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions