Replaced FortiGate with SOPHOS XG125, LAN from different network could not connect in the same LAN zone

Hi,

Please see my network diagram attached here.

I have Head Office and Branch office connected by a point to point link. Cisco router is connected at both ends for routing on point to point link.
Head Office LAN Switch  Subnet 192.168.1.0 is connected to local PC, local Server 192.168.1.10, XG125 192.168.1.1 as well Cisco router of Point to point link 192.168.1.7
Cisco Router has static route for Branch office subnet 192.168.3.0 as well default route to 192.168.1.1 to access internet for Branch users. All user PCs as well Local Server 192.168.1.10 in Head Office connected to the switch are having default gateway as 192.168.1.1 to access internet and to access Branch Office network.
XG 125 static routes to access Branch Office network 192.168.3.0 through Cisco routers LAN interface 192.168.1.7 from LAN zone.
Head Office users can reach Branch office users without problem.

Branch office subnet 192.168.3.0 is configured on Cisco router connected to the point to point link. It has static route for Head Office subnet 192.168.1.0 as well default route to 192.168.1.1 to access internet for Branch users. Here Cisco router LAN interface is 192.168.3.7. Branch Office users can access internet without any problem, but they cannot access any Head Office PCs or Local Server. From Branch Office only ping is reachable to XG 125 LAN interface 192.168.1.1 not to LAN server 192.168.1.10 or PCs. Branch Office PCs are having default gateway as 192.168.3.7
Previously we were using FortiGate firewall with same network design, everything was working perfectly, we replaced FortiGate with SOPHOS XG125, now Branch Office users are not able to access Head Office Servers.

Please help me in easy to implement solution.

Thanks



Added TAGs
[edited by: emmosophos at 10:23 PM (GMT -7) on 12 Apr 2021]
  • Hello there,

    Thank you for contacting the Sophos Community.

    Do you have the correct Firewall rules to allow the traffic?

    Can you a tcpdump on the XG to see what is happening to the Traffic when you try to Ping the internal resources.

    # tcpdump -eni any host x.x.x.x and proto ICMP (substitute the x.x.x.x for the IP of the computer you’re trying to Ping)

    However, it seems you might have some Asymmetric routing in place, I think the traffic is going

    Branch Office >> Tunnel >> Switch >> PC >> Sophos XG 

    However for this to work, your traffic should go

    BO >> Tunnel >> Switch >> PC Tunnel 

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Could not understand your solution

  • Hello there,

    So you’ll need to run a packet capture from the XG (Advanced Shell 5>3) to see how the traffic is flowing.

    # tcpdump -eni any host x.x.x.x and proto ICMP (substitute the x.x.x.x for the IP of the computer you’re trying to Ping)

    If you see the XG seeing the Reply packets but not the Request for the ICMP, then it means you’re having asymmetric routing.

    Your traffic should flow the same way it came, but in your Diagram it doesn't seem the Reply packet will take the same path to return.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.