This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lan to Lan traffic blocked

I am working to setup a firewall and facing strange issue. The configuration is as follows:

Firewall and Other Servers are hosted in subnet: 172.16.100.x

Clients are hosted in various subnets like 192.168.x.x, 10.10.10.x

Top Firewall rule is to allow traffic between Any LAN zone device to Any LAN zone device

Network setup:

The core switch has a static route of 0.0.0.0 and gateway as XG Firewall

However, I am able to access the firewall from my clients but none of the other servers that reside in the same network as the firewall. Any help is much appericiated.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Have you added routes to your internal subnets(192.168.x.x, 10.10.10.x)?

    Could you please share the interface configuration snapshot and a rough network diagram here or in PM?

  • I have added routes for all subnets available. I am able to ping all devices in all other VLANs. The clients get the captive portal from the FW too on all VLANs and are able to authenticate using that.

    The only issue I'm facing is with the 172.16.x.x subnet resources except the FW.

    When I go to Diagnostics >> Ping, I can see traffic reaching the server and an ack sent by the server (tried ICMP, RDP). However I get Status as "Violation" with Reason as "Invalid Traffic" for the ACK.

  • FormerMember
    0 FormerMember in reply to Mayuresh Bhagwat

    Can you please post a packet capture snapshot?

    Check packet flow in CLI as well.

    ==> Login to SSH > 4. Device Console

    ==> Ping server(172.16.x.x) from internal subnet.

    ==> Check packet flow on server IP 172.16.x.x

    console> tcpdump 'host 172.16.x.x and proto ICMP

    ==> Check drop packet in other SSH session.

    console> drop-packet-capture 'host 172.16.x.x and proto ICMP

  • Thanks for the support, the issue is resolved now.

    The issue was due to asymmetric routing. The solution was to add an advanced firewall rule from the server subnet to the user subnet i.e. one way rule only. We also tried adding bi-directional rule but that took off the internet access, hence only one-sided rule.

  • FormerMember
    0 FormerMember in reply to Mayuresh Bhagwat

    Glad to know that you identified an issue and resolved it.

    Click here to know more information on 'Asymmetric routing design condition'.

Reply Children
No Data