Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 2866 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-WAN not routing back to traffic to branch office without static route

Chris Haydon

Hi

We are pulling our hair out slightly trying to get a SD-WAN deployment to play ball and have so far spent over 10 hours on the phone to support so far without them being able to explain why this traffic is doing what it is.

The scenario is a 9 site SD-WAN deployment, generated via Central, SIP trunks terminating in two sites on trunk switches for redundancy - below is a simplified schematic for a Head Office with trunk termination switch and a single Branch Office site with a phone at it. The telco is doing IP based authentication and requires the voice traffic to be broken out of the Head Office internet connection with an alias IP on the PortF1 WAN link.

The SIP side is basically working ok, we can establish and drop calls without issue; RTP media traffic from the branch site traverses the SD-WAN to the head office, is NAT'd using a SNAT rule to a specific public IP that the telco expects and the remote party can hear the outbound audio stream of the person at the BO site.

Where we are struggling is the inbound audio part; the XGS firewall at the HO can clearly understand that the traffic is the return data stream from the telco as it is matching the source and destination UDPs in reverse one assumes and you can see it is unNATing the traffic back to the IP of the phone at the BO site; we are then hitting a problem in that we can only then manage get the traffic back to the BO site if we put a static route in place for that sites subnet otherwise the firewall is turning the traffic around that has come in on WAN PortF1 and sending it back out onto the WAN with its internal 192.168.41.x address which clearly isn't routable and is presumably getting blackholed.

When we have the static route in play this works ok and we have bidirectional audio but clearly that is rather defeating the point of having the SD-WAN and it being able to failover between multiple xfrm VPN tunnels in the event of a WAN failure.

Green - telco media gateway IP

Yellow - WAN PortF1 IP

This is the SD-WAN route we have setup on the HO; it is top of the list of policies; there is a mirror one on the BO side that works ok; it was originally in the main Central deployed bundle of source/destination subnets but we have now separated it out so it is rule 1 so it is easier to check if traffic is actually hitting it as the "main" site to site rule is getting the traffic counters impacted by other site to site traffic.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Chris Haydon

    Hi Chris,

    Thanks for your patience and we regret about your experience. Thanks for taking the time to share the caseID with us. Upon checking, it is now being handled by a Level 2 engineer. I have also left notes on your case referring to this community post. 

    Again, we thank you for your extended patience on the ongoing case.

    Hope you have a nice day and thank you for choosing Sophos.

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Chris Haydon

    Hi Chris Haydon

    Please verify route precedence, do as follows:

    • CLI: Enter 4 for Device console, and enter the following command:

      system route_precedence show

    • Web admin console: Go to Routing > SD-WAN routes.

    • For tshoot did you change route_precedence ?

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi  

    Yes been set to both SD-WAN route and Static route having precedence in troubleshooting; to be fair it shouldn't make an difference if you don't have any static routes (i.e. because you shouldn't need them!)... but even with it set to SD-WAN route before Static route its missing the SD-WAN route and hitting the contingency static route instead which clearly it shouldn't be!

    As it happens troubleshooting another issue we noticed something similar happening earlier with traffic destined to printer at another one of the BO sites from the HO print server where we couldn't get to the the web interface of it nor ping it... so that eliminated the suUDP and RTP traffic and that it was (de)NAT'd traffic out the equation.

    The interesting things was that we also had an issue getting to the web UI on the BO firewall from the HO - traffic to the Port2 LAN IP 192.168.x.y was failing to route to the BO but traffic to the Port1 LAN IP of 172.19.x.y was working fine - both subnets fall in the same destination network list in the same SD-WAN route policy so clearly its not totally broken as its matching some traffic to the rule!

    Were waiting on support to come back to us after another session earlier but I am hoping that the latest person has got a better grasp of the issue but I do get the feeling this is heading towards being escalated yet again as everything points to it being configured as expected but not then actually working as expected!

Unfiltered HTML