Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SDWAN Routing not working with/after Static Routes

I have got 2 Sophos FW Home firewalls (Home, and In-laws) running V20.0.0 with a red-link working between them.

This link has historically been Static Routes at each end and has worked perfectly but we want to separate some traffic so I have tried to move over to SDWAN Routing.

Whenever I created the SD-WAN routes according to workflows, the routers have all failed to send any traffic across (I thought I was missing something).

In my numerous attempts to get this working, I managed to create a SD-WAN rule that bricked all communications in and out of one of the two routers, and the only (And quickest) solution was to do a factory reset.

I decided as part of reconfiguration to only do the SD-WAN routing and not touch static routes, and magically they are working on that router..

If I replicate the config on the other router (not been reset (yet)) then it just breaks all traffic, even after a reboot.

I have already set routing order preference to SD_WAN, Static, VPN so the SD_WAN should take priority, but it just doesn't seem to do anything.

Am I missing something? 

Thanks

Ian 



This thread was automatically locked due to age.
Parents
  • Interestingly, if the SD-WAN route is there, AND the static route is there, traffic does flow across the link and I get a ping response from each end (I have assumed this is using the static route), but, the SD-WAN traffic counters do increase at the same time.

    I have also checked route -n and the route is not in there, but the another (unrelated) static route is showing in there.

  • I have also worked through the other post which seems to be an identical bug with no resolution.
    SD-WAN not routing back to traffic to branch office without static route

    Rebooting both routers makes no difference.

  • Hello,

    The post you’re referring to isn’t a "bug" but a misconfiguration causing the issue.

    I believe you need to change your Source Network from Any to the Client IP address starting the traffic.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Frustratingly tried all permutations of Any, or actual network on source and different options for destination with no success.

    Gave up and just reset the box to factory settings, and reconfigured the SD WAN in exactly the same without ever touching the Static routes, and hey presto it just worked.

    Then continued to configure the box back to how it was configured before, and the problem came back. But this time as I was doing a step by step configuration I could see what causes it.

    Turning on the Spoof Protection General Settings does break it, but turning it all off and magically it all comes back!

    So I am going to say, it is potentially bug that Spoof Protection interacts with SD-WAN, or at least a documentation shortfall stating that Spoof Protection and SD-WAN do not play nice together.

Reply
  • Frustratingly tried all permutations of Any, or actual network on source and different options for destination with no success.

    Gave up and just reset the box to factory settings, and reconfigured the SD WAN in exactly the same without ever touching the Static routes, and hey presto it just worked.

    Then continued to configure the box back to how it was configured before, and the problem came back. But this time as I was doing a step by step configuration I could see what causes it.

    Turning on the Spoof Protection General Settings does break it, but turning it all off and magically it all comes back!

    So I am going to say, it is potentially bug that Spoof Protection interacts with SD-WAN, or at least a documentation shortfall stating that Spoof Protection and SD-WAN do not play nice together.

Children
No Data