VoIP communication problems over SD-WAN and IPsec-Interfaces

Can you verify, you have the SD-WAN System generated Switch enabled? https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/index.html#how-to-configure-application-based-routing

set routing sd-wan-policy-route system-generate-traffic enable

I am not sure, but could be caused by the traffic is redirected as System Generated due the SIP helper. 

For Radius this is for sure the issue. But SIP/VOIP i am not sure. 

thank you for idea.

but it was already enabled.

was already set to any.

So it is actually the same rule like static? That is odd. If you use conntrack -E and check for the connection, you should see the SD-WAN PBR applied. 

Sophos22 said:

but it was already enabled

Sophos22 said:

was already set to any

same here

LuCar Toni said:

Can you verify, you have the SD-WAN System generated Switch enabled? 

console> show routing sd-wan-policy-route reply-packet
SD-WAN policy route is turned on for reply packets.
console> show routing sd-wan-policy-route system-generate-traffic
SD-WAN policy route is turned on for system-generated traffic.
console>

LuCar Toni said:

use conntrack -E and check for the connection

what do you mean? is it a console command? If so i do not find it. 

Every Connection in Conntrack reflects the SD-WAN, even if it is not applied.

[UPDATE] proto=tcp proto-no=6 timeout=10 state=CLOSE orig-src=172.25.235.10 orig-dst=192.168.1.5 orig-sport=57196 orig-dport=389 reply-src=192.168.1.5 reply-dst=172.25.235.10 reply-sport=389 reply-dport=57196 [ASSURED] id=3138929965 masterid=0 devin=xfrm1 devout=PortA nseid=16810139 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=8 natid=0 fw_action=1 bwid=0 appid=2974 appcatid=5 hbappid=0 hbappcatid=0 dpioffload=0x3f sigoffload=0 inzone=5 outzone=1 devinindex=26 devoutindex=6 hb_src=1 hb_dst=8 flags0=0xa0000200008 flags1=0x10106800000 flagvalues=3,21,41,43,87,89,90,96,104 catid=83 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:0d:3a:22:87:7e src_mac=12:34:56:78:9a:bc startstamp=1653921030 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdict=2 gwoff=0 cluster_node=0 current_state[0]=11434 current_state[1]=11434 vlan_id=0 inmark=0x0 brinindex=0 sessionid=464 sessionidrev=12567 session_update_rev=13 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLOADED

Those values (pbrid0 and pbrid1) should be not 0. If there is 0, the SD-WAN rule is not applied. 

You can use conntrack -E |grep IP_of_device

This should give you an overview of all connections. 

LuCar Toni said:

You can use conntrack -E |grep IP_of_device

console> conntrack -E
% Error: Unknown Parameter 'conntrack'
console>

Conntrack is a advanced Shell command. 

OK

LuCar Toni said:

pbrid0 and pbrid1

This doesn't show up. I only have those:

pbrid_dir0=4 pbrid_dir1=0

[UPDATE] proto=tcp      proto-no=6 timeout=10 state=CLOSE orig-src=10.56.166.5 orig-dst=172.30.3.100 orig-sport=64125 orig-dport=5432 reply-src=172.30.3.100 reply-dst=10.56.166.5 reply-sport=5432 reply-dport=64125 [ASSURED] mark=0x4007 id=2260928384 masterid=0 devin=LANuDMZ.2 devout=xfrm3 nseid=0 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=72 natid=0 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=1 devinindex=42 devoutindex=46 hb_src=0 hb_dst=0 flags0=0x400a2800200000 flags1=0x10000000000 flagvalues=21,35,37,41,43,54,104 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:1a:8c:5f:72:00 src_mac=00:50:56:82:7c:98 startstamp=1653926568 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=46 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13245 current_state[1]=13245 vlan_id=0 inmark=0x0 brinindex=43 sessionid=1191 sessionidrev=17158 session_update_rev=0 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=4 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED

This indicates, it will use SD-WAN rule 4. Which rule is 4 in your setup? 

This indicates, it will use SD-WAN rule 4. Which rule is 4 in your setup? 

This rule is not being used, as you say? 

As I sad the most things work, but not Radius or VoIP. If I create a static route it works.

Check the Conntrack for this particular traffic and verify. 

I will test this this weekend.

Hi,

I tested it this morning and you are right: pbrid_dir0=0 and pbrid_dir1=0. So no SD-WAN rule is applied?

But shouldn’t the rule I mention above apply to all traffic to the network?

Do you have a output of this VOIP traffic from Conntrack? 

Site1 to Site2

Rule:

[NEW] proto=udp      proto-no=17 timeout=30 orig-src=172.18.1.102 orig-dst=10.56.158.8 orig-sport=29443 orig-dport=29443 [UNREPLIED] reply-src=10.56.158.8 reply-dst=172.18.1.102 reply-sport=29443 reply-dport=29443 mark=0x4006 id=3776086656 masterid=2053321088 devin=LANuDMZ.1 devout=xfrm1 nseid=0 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=65 natid=0 fw_action=0 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=5 devinindex=633 devoutindex=45 hb_src=0 hb_dst=0 flags0=0xa0000204000 flags1=0x0 flagvalues=14,21,41,43 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:1a:8c:5f:72:04 src_mac=00:1a:e8:89:38:51 startstamp=1654595990 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=45 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=15908 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=0 sessionid=2647 sessionidrev=65067 session_update_rev=0 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED

Site2 to Site1

Rule:

[NEW] proto=udp      proto-no=17 timeout=30 orig-src=10.56.158.8 orig-dst=172.18.1.102 orig-sport=29443 orig-dport=29443 [UNREPLIED] reply-src=172.18.1.102 reply-dst=10.56.158.8 reply-sport=29443 reply-dport=29443 mark=0x8001 id=4239543104 masterid=1264079808 devin=LANuDMZ.2 devout=Port2 nseid=0 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=53 natid=0 fw_action=0 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0xd sigoffload=0 inzone=1 outzone=2 devinindex=27 devoutindex=6 hb_src=0 hb_dst=0 flags0=0xa2000204008 flags1=0x800000 flagvalues=3,14,21,37,41,43,87 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:01:4c:a2 src_mac=00:1a:e8:89:68:49 startstamp=1654595990 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=6032 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=0 sessionid=4300 sessionidrev=43578 session_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED