Static Routing Not working on SOPHOS XG Firewall.

Hi Sophos Community,

I am struggling to route traffic between two sophos over the Point to Point Connectivity as i am deploying my project in Eve Simulator but its not routing the traffic from the 10.10.0.5 PC towards the 192.168.3.30 Win Server and vice versa as shared in the Picture below. The WAN to LAN policy is sloted there as well  but the traffic is dropped on the Win Server portion of the Sophos while the same scenario is tested with the Cisco Routers and it is working properly. The Internet from both the WinServer Machine and From the 10.10.0.5 PC is working fine as we have gave Separate Internet connections on both the Sophos XG firewall.



Edited TAGs
[edited by: emmosophos at 6:09 PM (GMT -8) on 25 Nov 2021]
Parents
  • Hi Muhammad, Thanks for reaching out to Sophos Community.

    It appears that the traffic gets stuck on the XG nodes when pinged from either end. Make sure that both XGs have routing information to reach the remote end machines. 

    Ensure that there's no NAT happening in the entire routing. If Yes, then you'll need to adjust the routing accordingly. In GUI, Go to Diagnostics > Tools > route lookup and check the remote end's IP or Subnet.

    If everything seems proper, I suggest starting with taking a packet capture on any one of these XG devices for the destination address and seeing how traffic is handled by the firewall. Additionally, I would also recommend running a Wireshark capture on Router-2 (fa0/0 interface) and Router-3 (fa0/0 interface) within EVE as well. (Filter Wireshark capture with ICMP to clear the unnecessary traffic)

    Devesh Mishra
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • The Routing is done on both the XG Firewall for remote subnets. I think some kind of NAT issue on the XG firewall but i dont know how to figure it out.

Reply Children
  • You can start with taking a destination-based Packet capture on GUI. It'll show matching Firewall and NAT rules.

    Also, check the routing precedence with the command --> system route_precedence show

    You can run this command through SSH (Option 4 > Console)

    Devesh Mishra
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Ok i will let you know as my colleague is at home and our tapology is built on his system.

    Meanwhile we want to know what would be the Firewall Policy for the Transit traffic between two Sophos XG firewall.As our traffic is blocking when traffic is transiting on the 2nd Sophos XG FW going towards the LAN side of the interface.

    As we gave routes on 17.222 Sophos XG like 192.168.3.0/24 from port B with the Next Hop 10.77.55.2 as the Gateway for this showing Green in the gateway tab as well but no traffic is reaching when we ping from the 10.10.0.5 PC system as the trace is blocking on the 17.222 even after disabling the NAT rules.

    And Same is happening from the 192.168.3.30 PC towards the 10.10.0.5 VPC on the Sophos XG 17.221 with the same configuration.