PROBLEM WITH SD-WAN POLICY

Hello Paco, 

Good day and thanks for reaching out to Sophos Community and hope you are well. 

Kindly check this doc guide on how to troubleshoot traffic from an internal network to another internal network is routed to a WAN interface (SDWAN)

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSDWANPolicyRoutingTroubleshooting/index.html

Hope this helps and thank you for choosing Sophos. 

Cheers,

Hello!!!

Thanks for your answer but i cant find the way to work. This is how i have the sd-wan policy:

In this way, the RED_Invitados goes out to the Internet where the sd-wan rule indicates: (this is from one PC from this Red_invitados network)

(but i cant get into the internal network i want)

If i change the destination network to: (only this change)

the public IP changes:

and that means that the sd-wan policy does not take the traffic from that network to the internet where I want.
(but i still cant get into the internal network i want).

If i disable the sd-wan rule i can get to the network i want but the public IP is 81.x.x.x instead of 195.x.x.x

Any ideas??? Thank you very much!!!!!

Hey Paco Laura ,

Ensure it has a FW rule too, ensure to follow first 6 steps mentioned in the Traditional Settings For Primary and Backup Gateway:
Sophos Firewall: How to Choose The Gateway For A Firewall Rule v19

Hii 

That FW rules already exists.

Theres a way to route a concrete vlan network trafic to a concrete WAN  via FW rules?? 

I think if I dispense with the SD-WAN policy it could work for me.
I think what happens is that the sd-wan policy takes the traffic through the WAN interface of the policy and is not able to interpret that it is lan traffic, not lan to wan.

Hii 

That FW rules already exists.

Theres a way to route a concrete vlan network trafic to a concrete WAN  via FW rules?? 

I think if I dispense with the SD-WAN policy it could work for me.
I think what happens is that the sd-wan policy takes the traffic through the WAN interface of the policy and is not able to interpret that it is lan traffic, not lan to wan.

Hi Paco Laura  I am suspecting your VLAN connection is breaking due to the route precedence set on XG having the highest precedence to the SD-WAN route. In order to avoid such an issue you may set the static route presence first. Post that enables the SD-WAN rule for that VLAN again and confirmation the communication (Internal and Outside - both should work in the expected way).

Reference: docs.sophos.com/.../index.html

Hi.

We have executed in console:

system route_precedence set static sdwan_policyroute vpn

The command have changed the routing order but it dont works.

Hi Paco Laura  Thanks for sharing the latest update, After changing the precedence what is the observation in TCPDUMP and Drop packet?  Is the packet getting dropped on XG Or not for ICMP if you are testing PING? If it still remains un resolved then would suggest opening a support case to review the logs and settings further and to fix it and share the case ID her for reference.