This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-WAN Routing issue for and TFTP service

I'm using a Sophos Central defined SD-Wan Connection Group and a series of rules to allow connection between sites.  As best I can tell all the rules are working for all other workloads. The only place I'm aware that these rules are not working properly is when trying to backup my switches to a TFTP server located in another site. None of my rules are really fine grained enough to limit access to a service. If a host can reach another host, it has should be able to do so for any service.  I have no specific rules setup on the Site A location to alternatively route this kind of traffic.

For the case at hand I have Site A (where TFTP server is) and Site B (where the switch is)

When I attempt to upload the switch's settings to the TFTP server I can see the connection being made from the switch to the TFTP server but when the TFTP server attempts to respond the firewall in Site A is sending the response "out the WAN" interface instead of into the XFRM interface that the connection came in.

From the TFTP server I can PING and SSH into the switch I'm testing with. 

I've opened a support case and so far they've not been able to provide any guidance. 

This is reproducible.

Site A is a SFV4C6 (SFOS 19.0.0 GA-Build317) 

Site B is a XGS2300 (SFOS 19.0.0 GA-Build317) 

This also affects another site running the same firmware but is an XGS 126



This thread was automatically locked due to age.
Parents
  • Can you check the packet capture of this traffic? Because it could be, the FTP helper is hitting. And the FTP Helper hitting means, it is sys-gen traffic. 

    Try to disable FTP scanning in your firewall rule as well. 

    __________________________________________________________________________________________________________________

  •   Thanks for responding. Could you expand on the FTP helper?  I mentioned this to the technician I am working with during our last call and he wasn't familiar with it.  Regarding the FTP scanning if you're meaning "Scan FTP for Malware" under the Security Features > Web Filtering. That's not enabled. (don't currently have any option selected in that section for the rule that it's hitting).

    I apologize for stating something that may be obvious I'm trying to use TFTP not FTP. 

    Here's what the PCAP from the Site A firewall shows if that tells you anything.

    Rule 37 is a VPN > LAN rule and is basically Source "any of our fixed site VPN subnets" Destination "any Site A LAN resources"

    There is no linked NAT rule on 37.  NAT ID 2 is the Default out of the box "Default SNAT IPv4" rule.  "Any Host to Any Host" Masq the source and outbound to Port B.

  • Just wondering. The Switch IP, does a route back exists? Likely because you told us, other services are working too? 

    __________________________________________________________________________________________________________________

Reply Children