Hi,Please see my network diagram attached here.I have Head Office and Branch office connected by a point to point link. Cisco router is connected at both ends for routing on point to point link.Head Office LAN Switch Subnet 192.168.1.0 is connected to local PC, local Server 192.168.1.10, XG125 192.168.1.1 as well Cisco router of Point to point link 192.168.1.7Cisco Router has static route for Branch office subnet 192.168.3.0 as well default route to 192.168.1.1 to access internet for Branch users. All user PCs as well Local Server 192.168.1.10 in Head Office connected to the switch are having default gateway as 192.168.1.1 to access internet and to access Branch Office network.XG 125 static routes to access Branch Office network 192.168.3.0 through Cisco routers LAN interface 192.168.1.7 from LAN zone.Head Office users can reach Branch office users without problem.Branch office subnet 192.168.3.0 is configured on Cisco router connected to the point to point link. It has static route for Head Office subnet 192.168.1.0 as well default route to 192.168.1.1 to access internet for Branch users. Here Cisco router LAN interface is 192.168.3.7. Branch Office users can access internet without any problem, but they cannot access any Head Office PCs or Local Server. From Branch Office only ping is reachable to XG 125 LAN interface 192.168.1.1 not to LAN server 192.168.1.10 or PCs. Branch Office PCs are having default gateway as 192.168.3.7Previously we were using FortiGate firewall with same network design, everything was working perfectly, we replaced FortiGate with SOPHOS XG125, now Branch Office users are not able to access Head Office Servers.Please help me in easy to implement solution.Thanks
Thank you for contacting the Sophos Community.
Do you have the correct Firewall rules to allow the traffic?
Can you a tcpdump on the XG to see what is happening to the Traffic when you try to Ping the internal resources.
# tcpdump -eni any host x.x.x.x and proto ICMP (substitute the x.x.x.x for the IP of the computer you’re trying to Ping)
However, it seems you might have some Asymmetric routing in place, I think the traffic is going
Branch Office >> Tunnel >> Switch >> PC >> Sophos XG
However for this to work, your traffic should go
BO >> Tunnel >> Switch >> PC Tunnel
Could not understand your solution
So you’ll need to run a packet capture from the XG (Advanced Shell 5>3) to see how the traffic is flowing.
If you see the XG seeing the Reply packets but not the Request for the ICMP, then it means you’re having asymmetric routing.
Your traffic should flow the same way it came, but in your Diagram it doesn't seem the Reply packet will take the same path to return.