CONNECTION HQ-BRANCH

Question

Hi, 
 I have two sites (HQ and branch), and I have VPN site to site between this sites.In brance site found Mikrotiok after xg firewall. 
 I can access from server in HQ site to Branch site, but i cant access from server in brach site to HQ site. 
 
 two firewalls in site SOPHOS XG. 
 
 Rule: 
 in HQ Firewall -- LAN (192.168.1.0/24) to VPN (20.20.20.0/24) Accept && VPN (20.20.20.0/24) to LAN (192.168.1.0/24) Accept 
 in Branch Firewall -- LAN (20.20.20.0/24) to VPN (192.168.1.0/24) Accept && VPN (192.168.1.0/24) to LAN (20.20.20.0/24) Accept 
 in Branch firewall I have static route to reach 192.168.2.0/24 network. 
 
 PROBLEM: server (192.168.1.200) can reach to server (192.168.2.200),,,, but server(192.168.2.200) CAN'T reach to server (192.168.1.200) 
 
 Regards,

Bharat J · Answer

Fadi_Hamamdeh said: PROBLEM: server (192.168.1.200) can reach to server (192.168.2.200),,,, but server(192.168.2.200) CAN'T reach to server (192.168.1.200) 
 1. Please share packet flow from 192.168.1.200 to 192.168.2.200 under MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on configure Enter BPF string host 192.168.2.200 and proto ICMP 
 Share the screenshot 
 From SSH with option 4 check tcpdump 
 console>tcpdump 'host 192.168.2.200 and proto ICMP 
 console>dr 'host 192.168.2.200 and proto ICMP 
 2. Please share packet flow from 192.168.2.200 to 192.168.1.200 under MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on configure Enter BPF string host 192.168.1.200 and proto ICMP 
 From SSH with option 4 check tcpdump 
 console>tcpdump 'host 192.168.1.200 and proto ICMP 
 console>dr 'host 192.168.1.200 and proto ICMP 
 Please check the packet flow from the Head office and Branch office 
 Share the output with a screenshot 
 the issue is with routing your Microtik router 
 Thanks and Regards

Vivek Jagad · Answer

Hello Fadi_Hamamdeh , Thank you for reaching out to the community, you may refer the KBA for the config check: https://support.sophos.com/support/s/article/KB-000036746?language=en_US Please also ensure that MIKROTIK has a allowed rule for the IPsec traffic coming from the HQ to be forwarded to the respective LAN servers !!

CONNECTION HQ-BRANCH

Top Replies