This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do i need static routing rule? Cannot reach subnet from Branch Office

Simon-Timothy Folaji over 4 years ago

Hello community,

my setup is as followed:

Main Site: 10.1.0.0/23 (LAN Port1)

VLAN 100 (LAN Port1.100) on Sophos XG (Gateway: 172.31.100.1)

VOIP-Network: 172.31.100.0/24

VOIP-Server: 172.31.100.220

Branch Office A: 10.1.3.0/24

Branch Office B 10.1.4.0/24

Problem:

I want to use VOIP-Phones in my Branch Office B which i can´t. I have checked the FW-Policy (LAN to LAN), which is correct (green in logviewer). I cannot ping the VOIP-Server from within the Branch Office B, but i can ping it when i´m connected via sslvpn (Rule Policy LAN to LAN applies here). The strange thing is that i CAN ping VOIP phones (e.g. 172.31.100.106) from the branch office B but NOT the VOIP-Server itself (172.31.100.220) ?? Makes absolutely no sense. I can also ping the VOIP-Networks gateway which is 172.31.100.1 (the virtual port on the XG).

What am i doing wrong? Do i need a specific route for the traffic to reach the Branch Office?

This thread was automatically locked due to age.

Parents

0 Keyur over 4 years ago

Hi Simon-Timothy Folaji

Please add static routes and specify gateway in them.

A network diagram would be much appreciated for better assistance

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon-Timothy Folaji over 4 years ago in reply to Keyur

Hi Keyur,

here it is:
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon-Timothy Folaji over 4 years ago in reply to Simon-Timothy Folaji

So my question is:

How does the ipv4 unicast route have to look like?

Strange thing is that i can reach the different voip phones from the branch office b to my main network (main site where the XG resides) but not the voip-server itself....
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Simon-Timothy Folaji

Simon,

please post static routes, tcpdump and a traceroute output.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Simon-Timothy Folaji

Hi Simon-Timothy Folaji

As per the diagram Branch sites are connected with the RED device.

Please make sure that LAN to VLAN and VLAN to LAN firewall should be required NAT (MASQ) can be toggled.

tcpdump on the VoIP server IP and Branch system IP would be helpful to analyze the traffic flow.

Please login to SSH console

execute the command tcpdump 'host <VoIP server IP> and host <Branch system IP>

Please share the output and also share the static route configuration details.

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon-Timothy Folaji over 4 years ago in reply to Keyur

Hi Keyur,

i´m having trouble understanding this:

Please make sure that LAN to VLAN and VLAN to LAN firewall should be required NAT (MASQ) can be toggled.

I have an LAN - LAN fw-policy, there is no NAT enabled. When i´m connected to the network via sslvpn i can access everything - even the voip-server because the fw-rule is different from the LAN-to-LAN rule. Can this be the cause?

Target Network of LAN-to-LAN rule is: everything

Target Network of SSLVPN is every network manually added by me (VOIP-Network, local network, etc.)
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon-Timothy Folaji over 4 years ago in reply to Simon-Timothy Folaji

my static routing list is empty
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon-Timothy Folaji over 4 years ago in reply to Keyur

the output of tcpdump equals=0 because there is no traffic flowing to/from the two systems to each other.

tcpdump -n host 172.31.100.220 and host 10.1.4.102
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon-Timothy Folaji over 4 years ago in reply to Simon-Timothy Folaji

tomorrow i will install an openstage 40 voip-phone which is capable of creating some network traffic via shell, then i will test again the output of

tcpdump -n host voip-server and host telephone
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Simon-Timothy Folaji

Hi Simon-Timothy Folaji

Thank you for your response, please share the output when you have resource. We will be glad to assist you further.

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Simon-Timothy Folaji

Simon,

how are the branch offices connected to the main office?

MPLS, red or S2S VPN?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon-Timothy Folaji over 4 years ago in reply to lferrara

Good morning,

the S2S are connected via RED-Devices. But that wasn´t the issue. I found out yesterday that the gateway of the VOIP-System is connected via a different gateway (DSL-Connection), now everything works just fine.

Sorry for the undocumented approach. Thanks to all!
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Simon-Timothy Folaji over 4 years ago in reply to lferrara

Good morning,

the S2S are connected via RED-Devices. But that wasn´t the issue. I found out yesterday that the gateway of the VOIP-System is connected via a different gateway (DSL-Connection), now everything works just fine.

Sorry for the undocumented approach. Thanks to all!
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data