I have a brand new XG 125 installed in Factory Status with SFOS 18.0.1. Current precedence for routing: SD-WAN policy route, Static route, VPN route Policy route also applies to system-generated and reply traffic With these settings I'm still having routing issues. I have set a tunnel-based IPsec VPN connection. The routings to the networks behind the VPN are SD-WAN Policy Routings. For the normal traffic of clients behind the XG the SD-WAN Policy Routing is working fine. But there are exceptions: VoIP traffic I have a phone system that is behind the IPsec VPN. When I initiate the connection my voice packets are not routed correctly. I can listen to the other side, but the other side doesn't hear me. With packet capture I can see that my voice packets are routed to the WAN interface. Only after entering a static routing for the network of the phone system did my packets route through the VPN When the other side initiates the connection I have no issues. I had the same issue with VoIP also with another XG 125 that was updated from 17.5.12 to 18.0.1 System DNS traffic I have a series of DNS routes set in the XG. The DNS servers are behind the IPsec VPN. Here too I can see that the DNS requests are being routed to the WAN. Here too, only after entering a static routing did the system-initiated DNS requests go into the tunnel. In my understanding this should not be so. SD-WAN Policy Routing should do all the routing for the configured networks and should not require static routing. Are these problems I'm encountering a real issue, or am I missing something?

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[XG18.0.1] SD-WAN Policy Routing not working for System Traffic and VoIP

AlexanderPoettinger over 5 years ago

I have a brand new XG 125 installed in Factory Status with SFOS 18.0.1.

Current precedence for routing: SD-WAN policy route, Static route, VPN route
Policy route also applies to system-generated and reply traffic

With these settings I'm still having routing issues.

I have set a tunnel-based IPsec VPN connection.

The routings to the networks behind the VPN are SD-WAN Policy Routings.

For the normal traffic of clients behind the XG the SD-WAN Policy Routing is working fine.

But there are exceptions:

VoIP traffic
I have a phone system that is behind the IPsec VPN. When I initiate the connection my voice packets are not routed correctly.
I can listen to the other side, but the other side doesn't hear me.
With packet capture I can see that my voice packets are routed to the WAN interface.
Only after entering a static routing for the network of the phone system did my packets route through the VPN
When the other side initiates the connection I have no issues.
I had the same issue with VoIP also with another XG 125 that was updated from 17.5.12 to 18.0.1
System DNS traffic
I have a series of DNS routes set in the XG. The DNS servers are behind the IPsec VPN.
Here too I can see that the DNS requests are being routed to the WAN.
Here too, only after entering a static routing did the system-initiated DNS requests go into the tunnel.

In my understanding this should not be so.

SD-WAN Policy Routing should do all the routing for the configured networks and should not require static routing.

Are these problems I'm encountering a real issue, or am I missing something?

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 5 years ago

As your precedence indicates - a SD-WAN PBR Rule will route your Traffic, if applied, no matter what you have configured on VPN etc.

Wrote about this in more detail here: https://community.sophos.com/products/xg-firewall/f/recommended-reads/121408/routing-in-xgv18-with-sd-wan-pbr

You should switch your Precedence to Static vpn sd-wan. This should at least solve your internal issues.
Cancel
Vote Up 0 Vote Down

Cancel
0 AlexanderPoettinger over 5 years ago in reply to LuCar Toni

Hi Toni,

the firewall had actually the route precedence "static sd-wan vpn" when on factory default.

I changed it to the current setting in the hope of being able to obviate the use of static routes replicating what I had already configured in an SD-WAN route.

The content of your article is not news to me. I'm fully aware of what routing is for.

My SD-WAN routes for the VPN connection are very simple. They only have a list of target networks and a gateway.

According to Sophos description they should be working exactly as static routes do.

Unfortunately for some traffic they don't work as advertised.

Having to rely on a static route when Sophos says the SD-WAN routing should do the whole job looks to me like a problem, not design.

But I may be wrong there.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to AlexanderPoettinger

Lets rephrase it.

VPN routes (Policy based) are used by policy based VPNs only. Actually it is a routing table between the SAs (Remote and Local Network). And only those as a pair. That means, if you have a Local Network, it can only talk to your Remote network. According to this, System own Traffic and other traffic, are not allowed to use the Policy based route. And you cannot create a route in PBR for this traffic as well, as PBR cannot route traffic into a Policy based tunnel.

But as far as i understand, you are using VTI tunnels, correct?

The online help is talking about System generated Traffic as well:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

Do you have this switch enabled?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 5 years ago in reply to AlexanderPoettinger

Lets rephrase it.

VPN routes (Policy based) are used by policy based VPNs only. Actually it is a routing table between the SAs (Remote and Local Network). And only those as a pair. That means, if you have a Local Network, it can only talk to your Remote network. According to this, System own Traffic and other traffic, are not allowed to use the Policy based route. And you cannot create a route in PBR for this traffic as well, as PBR cannot route traffic into a Policy based tunnel.

But as far as i understand, you are using VTI tunnels, correct?

The online help is talking about System generated Traffic as well:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

Do you have this switch enabled?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 AlexanderPoettinger over 5 years ago in reply to LuCar Toni

Hallo Toni,

as I said in my first article this is a SFOS 18.01 installation and I'm using a routing based tunnel IPsec.

This kind of IPsec tunnel needs a specific (static or SD-WAN) routing for each network I want to address on both sides of the connection because the networks are not defined in the IPsec connection itself.

I know that policy-based IPsecs work differently and that system traffic for that kind of IPsec needs to be configured in the console for each tunnel by a couple of commands.

I've been doing this for more than 5 years now.

My problem is with the routing in the new SFOS 18 using Tunnel-IPsec.

Or possibly with routing generally because the Tunnel-IPsec is just a new network with two interfaces - local side and remote side - through which I'm routing traffic.

It appears that for some traffic SD-WAN routes don't apply even when set as having precedence and as working also for system traffic and reply traffic.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to AlexanderPoettinger

You should review the conntrack and check the matching SD-WAN Policy.

As in matter of fact, if the pbr rule apply, it will route the traffic. Likely you rule simply does not apply.

Every conntrack entry indicates, which pbr will be applied by the flag: pbrid_dir0=0 pbrid_dir1=0

About VOIP, likely you are only applying it to SIP and not the UDP data traffic because pbr is not aware of the SIP helper.

About System generated traffic, likely your source / destination network does not apply to the traffic, hence it will not work.

For example:

Creating a DNS rule with ANY and service DNS:

Will switch the DNS Traffic:

pbrid_dir0=1 pbrid_dir1=0
Cancel
Vote Up 0 Vote Down

Cancel