Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG firewall is blocking the VOICE and Internet traffic

Hi ALL,

We have deployed the Sophos XG firewall with 17.5.9 MR-09 firmware. I have created Internet access policy, DNS policy, and 03 firewall groups.  In these 03 groups only firewall categories are selected as an access level. It has worked for 03 hours without any issue. I have tried to access the allowed website but sometimes these are accessible and sometimes these are not. VOICE traffic starts getting dropped. 

I have tried to ping global DNS 8.8.8.8 it is giving RTOs on a random order. At the same time i have watched the logs through the GUI log viewer , where i have saw the denied traffic a lot, that some of our broadcast traffic  and some are from outside our network. 

All these events are occurring at the same time, but if i ping the dns 8.8.8.8 from the firewall console, it pings the dns without any RTO.

We are using two internet lines here, one is primary and another one is as secondary.

If we shift the same LAN network on the TP-link router, it works without any issue. please suggest, how could it be resolved?

 

Thanks!

 

Regards:

Vinay Pal                                                                                                                                                                                                                                                      



This thread was automatically locked due to age.
Parents
  • Hi,

    when you shift to the tp0link router you are only using one external link. What happens if you only have one link on the XG.

    Please post your firewall rules to assist us in trouble shooting.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi rfcat_vk ,

    I am explaining the scenario for now:

    1- back-up line is active right now, no one , not getting any drop right now, even it works in case of 05 PCS. the primary link is connected to TP-link router to serve the user.

    2- My all Soft phones are registered but there is noise disturbance, call drop, voice drop.

    3- All websites are working fine in 1-5 PCs but if we shift the entire network of 40 PCs , after 01-02 hours it will block the entire traffic. 

     

    Firewall rules:

    VOIP Ports out of SPI: SIP(5060-5080)

    RTP ports out of SPI:5000-50000

    Voice call domain out of SPI : sip-76113.accounts.vocalocity.com

     

    Traffic to WAN:

    1- DNS rule --LAN==ANY==ANY

        WAN==any==any

    Identity: not selected 

    Web policy: Allow all

    Application policy: Allow all

    2- Marketing Rule: --LAN==ANY==ANY

        WAN==any==any

    Identity; Marketing Group

    Web policy: Allow all

    Application policy: Allow all

    3- Agent Access: --LAN==ANY==ANY

        WAN==any==any

    Web policy: Allow all

    Identity; Agent_Group

    Application policy: Allow all

    4- CCV_Access: --LAN==ANY==ANY

        WAN==any==any

    Identity: CCV_Group

    Web policy: Allow all

    Application policy: Allow all

    5- Internet access Rule: --LAN==ANY==ANY

        WAN==any==any

    Identity: Any

    Web policy: Allow all

    Application policy: Allow all

     

     

    Note: Primary link is configured as active

    secondary Link: back-up

     

     

Reply
  • Hi rfcat_vk ,

    I am explaining the scenario for now:

    1- back-up line is active right now, no one , not getting any drop right now, even it works in case of 05 PCS. the primary link is connected to TP-link router to serve the user.

    2- My all Soft phones are registered but there is noise disturbance, call drop, voice drop.

    3- All websites are working fine in 1-5 PCs but if we shift the entire network of 40 PCs , after 01-02 hours it will block the entire traffic. 

     

    Firewall rules:

    VOIP Ports out of SPI: SIP(5060-5080)

    RTP ports out of SPI:5000-50000

    Voice call domain out of SPI : sip-76113.accounts.vocalocity.com

     

    Traffic to WAN:

    1- DNS rule --LAN==ANY==ANY

        WAN==any==any

    Identity: not selected 

    Web policy: Allow all

    Application policy: Allow all

    2- Marketing Rule: --LAN==ANY==ANY

        WAN==any==any

    Identity; Marketing Group

    Web policy: Allow all

    Application policy: Allow all

    3- Agent Access: --LAN==ANY==ANY

        WAN==any==any

    Web policy: Allow all

    Identity; Agent_Group

    Application policy: Allow all

    4- CCV_Access: --LAN==ANY==ANY

        WAN==any==any

    Identity: CCV_Group

    Web policy: Allow all

    Application policy: Allow all

    5- Internet access Rule: --LAN==ANY==ANY

        WAN==any==any

    Identity: Any

    Web policy: Allow all

    Application policy: Allow all

     

     

    Note: Primary link is configured as active

    secondary Link: back-up

     

     

Children
No Data