Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 28 subscribers
  • Views 11385 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to site and a red

PeterNguyen

I have an environment with two sites running  XG210 (SFOS 15.01.0) . One of the sites has a RED connected to it. We will call it site A.  Site B is able to talk to site A just fine. The issue is when site B tries to communicate to the RED that is connected to Site A. They are not able to. I have tried added the remote network on the Red. From site B i have added a policy for source and destination.  Do any of you out there have this setup?



This thread was automatically locked due to age.
Parents
  • 0

    I have a similar setup, and am having a similar issue.  To clarify my setup, I have a RED 50 connecting to an XG 210 using Standard/Split mode.  In the RED configuration, I have configured "Split Network" to include the network at my primary site, which is on the XG 210.  Devices connected to the RED 50 are able to connect to devices on the XG 210, but devices on the XG 210 are not able to connect to devices on the RED 50.

    Both interfaces are set to the LAN zone, and I configured a LAN to LAN firewall policy.  I'm assuming that I essentially need to create the same "Split Network" configuration on the XG 210 side, but it isn't clear to me which settings are needed for this.  Route?  Gateway?  Both?

  • 0 in reply to Tim007

    Tim007,

    can you share you RED config screenshots?

    Thanks.

  • 0 in reply to lferrara

    The link is established okay, so I'm just posting the RED Network Settings portion of the config.  The split network is the range of internal IPs belonging to our primary site.  Also worth noting that I am running the current beta version of SFOS 16.01.0.

Reply
  • 0 in reply to lferrara

    The link is established okay, so I'm just posting the RED Network Settings portion of the config.  The split network is the range of internal IPs belonging to our primary site.  Also worth noting that I am running the current beta version of SFOS 16.01.0.

Children
  • 0 in reply to Tim007

    The RED link is now working as expected for me, without needing to add any additional routes.  Long story short, I think this issue was related to the fact that on my XG firewall I had two physical ports configured with IP addresses in the same range (don't ask).  This resulted in some other issues, and in the process of troubleshooting some other changes I was making, I discovered that traffic was routing both directions as expected through the RED link.  While I can only note correlation, I suspect that the IP assignments on the XG were the cause of my issue.  Unfortunately, it is tough to revert the changes to prove causation because I believe I had the XG in a state that should not be allowed, and was causing other weird issues.

  • 0 in reply to Tim007

    Good to know.

    Giving the same IP/Subnet on multiple interfaces is possible and this is alway a big mistake because traffic does not know where to go.

    https://community.sophos.com/products/xg-firewall/v16beta/f/177/t/78357

    Have a look at the thread above. A warning/error should appear. Hope they will implement soon agaist error prone.

  • 0 in reply to lferrara

    I note that I ran into a similar issue where the XG allowed me to have two physical ports with IP addresses on the same subnet.  It did not throw a warning, but things also did not work as expected.  Interestingly, while trying to fix the issues it was causing, I went through the setup wizard again, and it did catch that they were on the same subnet, and prevented me from completing the wizard using the (incorrect) existing values.  Agreed, that this check and corresponding warning should also be present in the regular interface as well.

  • 0 in reply to Tim007

    I am having the issue of no traffic from Red to XG1 or reverse, I have single hops working.  Can you let me know what you actually did as far as 'route' or ???

    XG1--- S2S(IPSEC VPN) --- XG2  -- (LAN) -- RED15

    your help would be appreciated!

    -DonV