Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 322 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Asymetric behavior of tunnel based interface

BeEf

Hello,

I want to setup a tunnelbased internet connection with SD-WAN rules. Tunnel is up and running but behaving ansymetrical. 

From Remote - Central everything is working as expected.

The other direction Central - Remote is only working if I put an static route there that is going through the interface of the tunnel.
If this is not set the traffice is send to the internet.

Current precedence for routing: Static route, VPN route, SD-WAN policy route. (Central site; 18.5 MR-3 - can not be updated at the moment)

Current precedence for routing: Static route, VPN route, SD-WAN route. (Remote site;  19.0 GA)


Working (static route):


Not working (SD-WAN Route to gateway):




Gateway is up and running. And health checked.





How can this be setupt with SD-WAN Routes on both sides?

(Main goal is to use groups in the tunnel and policy config in order to simplify configuration AND to be able to do changes on the tunnel / routing without the need to restart the tunnel ...)

Regards,
BeEf



This thread was automatically locked due to age.
Parents
  • 0

    Try to setup the IP of the other XFRM Interface in Gateways and not only use Interface. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello don't understand.

    Maybe I mixed up / conflicted with naming a little bit but:

    - I defined the IPSec in Tunnel interface on both sides
    - which gave me an xfrm interface on the WAN interface of the firewall
    - I assigned the two addresses of a /30 network on the xfrm interfaces on both firewalls
    - for each of these interfaces I created a gateway 

    Gateway is used in SD-WAN Route (no interface selectable)
    Interface is used in static route (no gateway selectable)

    So I'd would expect that Gateway/SD-Wan or Interface/Static route would be usable interchangeably.

    Regards,
    BeEf

Reply
  • 0 in reply to LuCar Toni

    Hello don't understand.

    Maybe I mixed up / conflicted with naming a little bit but:

    - I defined the IPSec in Tunnel interface on both sides
    - which gave me an xfrm interface on the WAN interface of the firewall
    - I assigned the two addresses of a /30 network on the xfrm interfaces on both firewalls
    - for each of these interfaces I created a gateway 

    Gateway is used in SD-WAN Route (no interface selectable)
    Interface is used in static route (no gateway selectable)

    So I'd would expect that Gateway/SD-Wan or Interface/Static route would be usable interchangeably.

    Regards,
    BeEf

Children
  • 0 in reply to BeEf

    I am talking about the Screenshot of your Gateway. you can define a gateway by using the interface or a gateway. I would prefer you use the gateway and retry. Choose the IP of your peer XFRM Interface. 

    So use Gateway IP 10.23.254.2

    __________________________________________________________________________________________________________________

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?