Mismatched client gateway


Sophos XG 330:
LAN Port 9
LAN Port 9.8
Port 9 plugged in Switch port 24

Layer3 Switch:
Port 24 Trunk ALLOW ALL VLAN
Port 1 VLAN=0
Port 2 VLAN=8

Gateway <- Sophos is the Gateway here.
Plug in Switch Port 1

Gateway <- Layer3 Switch is the Gateway here.
Plug in Switch Port 2

In this config, PC1 can ping PC2, but PC2 CAN'T ping PC1
On the log I have : ICMP packets with invalid ICMP type/code.

If I swap both gateway on the PCs to either same it works it doesn't matter which one I choose.

It's when they are mismatch that I have this issue. And for my used case, I need it to be able to be mismatch.

This setup works in my Sophos SG 330... That will be EOL soon...

Edited TAGs
[edited by: emmosophos at 7:47 PM (GMT -7) on 18 May 2022]
  • Hello there,

    Thank you for contacting the Sophos Community.

    Because of how your traffic is flowing, you might have asymmetric routing. 

    Try running the following command from the Advanced Shell of the Sophos Firewall (5>3)

    set advanced-firewall bypass-stateful-firewall-config add source_network xxx.xxx.xxx.xxx source_netmask xxx.xxx.xxx.xxx dest_network xxx.xxx.xxx.xxx dest_netmask xxx.xxx.xxx.xxx

    The above would bypass the entire network, if you’re looking to do  the bypass for only specific hosts, you can run

    set advanced-firewall bypass-stateful-firewall-config add source_host x.x.x.x dest_host x.x.x.x

    Note: After running this command, the XG will only do the routing for these packets; no other feature can be enforced.


    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • The command worked!!! but not in [5>3] but in [4] Console.

    It's a long process because I had to write a line for both ways 

    set advanced-firewall bypass-stateful-firewall-config add source_network source_netmask dest_network dest_netmask

    set advanced-firewall bypass-stateful-firewall-config add source_network source_netmask dest_network dest_netmask

    For each VLAN that the Sophos has you have to write both line for each pair of VLANs. So it's a n(n+1)/2 senario, if you have 9 VLANs you have 45 lines.  

    Furthermore, If you have remote switches with their own local VLANs, and that switch is the gateway for the clients on that VLAN.  So you have to write one line (the return ping line) for every VLAN that the Sophos has, so if your remote vlan is

    set advanced-firewall bypass-stateful-firewall-config add source_network source_netmask dest_network dest_netmask

    set advanced-firewall bypass-stateful-firewall-config add source_network source_netmask dest_network dest_netmask

    So if your remote switch has 5 remote VLANs and you have 8 VLANs local to your Sophos, you have 40 Lines just for that remote switch.  If you have 7 remote switches with 2 to 10 VLANs... Well you better make a draft in a Text file and copy and paste Stuck out tongue