Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 821 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

question regarding known issue in 18.5 MR1

IT American Rock Salt

hello, 

i was reading through the release notes of the latest firmware before I apply it to our FW's and this particular known issue has me scratching my head 

NC-42364 Networking (deprecated) IPsec route precedence isn't applied.

When system route_precedence is configured to give VPN routes higher priority than static routes, the firewall doesn't send the traffic through the IPsec tunnel. Instead, it routes the traffic through a matching static route. This occurs if a static or local route exists directing the traffic to a non-WAN zone. The route precedence command only applies to traffic destined for the WAN zone.

 Manually create an IPsec route for the remote subnet.

Example: console> system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname <tunnelname>

Then press Tab twice to see the list of available tunnels.

wouldn't it be easier to just change the SD-WAN route precedence to have static routes have a higher priority than VPN routes or am I overthinking it? we do have static routes set on the FW that point to LAN  so this may cause us to hold off on applying this update until this resolved



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi, Thanks for reaching out to Sophos Community.

    As far as I know, This is related to a scenario when a static route is added for the same destination which is also reachable via IPSec.

    Mostly in the scenarios where the MPLS/P2P links are configured to connect networks of two locations along with an IPSec tunnel for Redundancy/Failover. So here you'll have a static route (For MPLS/P2P connectivity) and IPsec (default VPN route) to send traffic to the remote location. This Known Issue refers to this scenario.

    If you've static routes within the XG firewall that just point to the Internal networks only, Then this won't be applicable.

  • 0 in reply to FormerMember

    Devesh,

    thanks for clarifying this i just didn't want to upgrade the firmware and have it screw up our remote users access over ipsec