I've lost the content of this post twice after a window resize, so it has the bare minimum UTM 9.605-1 is ran within a VM on ESXi 6.7. WebAdmin is accessible via a new install [of Sophos], but upon restoring a known good [Sophos] backup config, WebAdmin is no longer accessible, even though UTM is being correctly assigned an IP. The issue either resides within the allowed networks for WebAdmin and/or the default internal network, or some other network setting having to do with br0 , as I've had this issue before, but lost the bookmark with the correct cc commands to fix. sophos-utm:/var/log # cc get webadmin allowed_networks [ 'REF_NetworkAny', 'REF_NetNetAnyInterna' ] sophos-utm:/var/log # cc get_object 'REF_DefaultInternalNetwork' 0 EDIT: I've added REF_NetworkAny & REF_NetNetAnyInterna to allowed_networks via cc , removing all others After further troubleshooting, I'm able to replicate on a new install of Sophos by doing the following: VM created with eth0 - eth3 , with only eth0 set up as an interface within Sophos (LAN DHCP: 192.168.2.45/26 ) Edit eth0 , changing it to a bridge and adding eth1 , saving changes Waited 5min to allow UTM to fully set up the new bridge and restart services on the backend WebAdmin still accessible Edit the newly created bridge, unticking eth1 from the bridge, saving changes This results in the WebAdmin becoming inaccessible on 192.168.2.45/26 , even after a reboot. VM Switches: eth0 - eth3 eth0 & eth1 : bridged into br0 Assigned a static IP via OpenWrt, 192.168.2.1/26 eth2 & eth3 : irrelevant to this issue All Interfaces: br0, eth0 - eth3, ifb0 - ifb4, lo, tun0 WebAdmin : 192.168.2.1:443 on br0

JW, in order to promote more participation, I won't read any thread that has a post newer than yesterday - I suspect others do something similar. In this case, I would try editing /etc/udev/rules.d/70-persistent-net.rules to change the NIC order to what existed in your prior VM. Don't forget to reboot after you save the changed file. Any luck with that? Cheers - Bob

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebAdmin Inaccessible: Needs to Be Fixed via CLI throuch CC

JW0914 over 4 years ago

I've lost the content of this post twice after a window resize, so it has the bare minimum

UTM 9.605-1 is ran within a VM on ESXi 6.7.

WebAdmin is accessible via a new install [of Sophos], but upon restoring a known good [Sophos] backup config, WebAdmin is no longer accessible, even though UTM is being correctly assigned an IP.

The issue either resides within the allowed networks for WebAdmin and/or the default internal network, or some other network setting having to do with br0, as I've had this issue before, but lost the bookmark with the correct cc commands to fix.

sophos-utm:/var/log # cc get webadmin allowed_networks
[
     'REF_NetworkAny',
     'REF_NetNetAnyInterna'
   ]

sophos-utm:/var/log # cc get_object 'REF_DefaultInternalNetwork'
0

EDIT:
- I've added REF_NetworkAny & REF_NetNetAnyInterna to allowed_networks via cc, removing all others
- After further troubleshooting, I'm able to replicate on a new install of Sophos by doing the following:
  1. VM created with eth0 - eth3, with only eth0 set up as an interface within Sophos (LAN DHCP: 192.168.2.45/26)
  2. Edit eth0, changing it to a bridge and adding eth1, saving changes
    - Waited 5min to allow UTM to fully set up the new bridge and restart services on the backend
    - WebAdmin still accessible
  3. Edit the newly created bridge, unticking eth1 from the bridge, saving changes
    - This results in the WebAdmin becoming inaccessible on 192.168.2.45/26, even after a reboot.

VM Switches: eth0 - eth3

eth0 & eth1: bridged into br0
- Assigned a static IP via OpenWrt, 192.168.2.1/26
eth2 & eth3: irrelevant to this issue
All Interfaces: br0, eth0 - eth3, ifb0 - ifb4, lo, tun0

WebAdmin: 192.168.2.1:443 on br0

This thread was automatically locked due to age.

0 JW0914 over 4 years ago
With ~235 views thus far and not a single reply, the only fix I can think of is to boot up a second VM and manually transfer over each network definition one by one to a new install of UTM... Clearly Sophos' forum is still suffering from the same issue that's hounded this forum since Sophos shut down the Astaro forum... there's simply a lack of knowledgeable users on this forum due to losing those voices years ago when the switch occurred, and it's abundantly clear those users never bothered coming back (it's why I left after all).

I don't have some weird, one-off setup that's outside the norm... what's occurring should not be occurring on a simple 4 switch setup (3 LAN, 1 WAN)

The issue did end up being the bridge of eth0 & eth1, coupled with the hardware MACs of the 4 ethernet ports, as the previous server board's hardware MACs were still attached to the 4 interfaces within the old Sophos config. After manually assigning the old hardware MACs in the VM's settings, then removing all interfaces except eth0, allowed me to manually assign the WebAdmin IP to eth0 via ifconfig, restoring temporary access.

It should also be notated that even though I re-gained WebAdmin access, it's now impossible to utilize any of the backup configs I have because UTM is incorrectly modifying the hardware switch layout, switching eth1 <-> eth3, where eth1 is a LAN port and eth3 is the WAN port. I've tried deleting all interfaces, adding them back one by one in chronological order (eth0, eth1, eth2, then eth3), shutting down UTM before adding the next, and as soon as eth3 is added, UTM replaces eth1 with eth3 and eth3 with eth1, regardless of the hardware MACs.

To provide a visual, prior to eth3 being added, ifconfig and WebAdmin will show eth0 with a MAC ending in 00, eth1 ending in 01, eth2 ending in 02. eth3's MAC ends in 03, yet as soon as eth3 is added, eth0 ends in 00, eth1 ends in 03, eth2 in 02, and eth3 in 01.

I deleted all interfaces and switches from ESXi, except for vSwitch0 (eth0, as it houses the kernel management switch), re-creating all interfaces on both ESXi and Sophos, yet I am unable to get Sophos to stop switching eth1 <-> eth3.

I've modified the hardware switches themselves under cc OBJS (yes, I did write the changes before exiting), swapping eth1's and eth3's hardware MACs to the correct ones, yet as soon as a reboot occurs, UTM switches them back... WTF
(changes in the OBJS database are supposed to survive reboots).
SilverStone DS380 | AsRock C2750D4I | Alienware 18 | In Win Chopin | SuperMicro A1SRi-2758F
2.4gHz 8C C2750 ; 32GB ECC | 2.5gHz 4C i7 4710MQ ; 32GB | 2.4gHz 8C C2758 ; 32GB ECC
Vantec 4C USB3 PCIe UGT-PCE430-4C | 8GB AMD SLI R9 M290x |
SSD | 850 EVO: 120GB | 1TB ; mSATA: 1TB (2) | 850 Pro: 128GB ; 850 EVO: 1TB
HDD | Seagate: { ST4000VN000 (8) } Z2 ; { HGST HTS721010A (3) } Z2 |
FreeNAS 11.2 | { PNY Turbo USB3 32GB (2) } Mirror | Win 10 Pro | ESXi 6.7: Sophos UTM 9.6

Various Wikis, Scripts, & Configs | Prebuilt OpenSSL Config
Cancel
Vote Up 0 Vote Down

Cancel
+1 BAlfson over 4 years ago in reply to JW0914

JW, in order to promote more participation, I won't read any thread that has a post newer than yesterday - I suspect others do something similar. In this case, I would try editing /etc/udev/rules.d/70-persistent-net.rules to change the NIC order to what existed in your prior VM. Don't forget to reboot after you save the changed file. Any luck with that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 JW0914 over 4 years ago in reply to BAlfson

Bob, thanks a bunch! that worked =]

TL;DR: nothing below has to do with OP issue

My frustration wasn't directed towards you, any moderator, or any other knowledgeable member who contributes to this forum. Technical knowledge with Sophos comes from experience using it, and by essentially ostracizing the veteran Astaro forum users when the abrupt switch was made to this current forum years ago, it severely damaged the knowledge base of users to pull from. My frustration doesn't come from not receiving an answer right away (I expect not to get answers on forums for a few days), but from the amount of views this had without a single response, which shows this forum has still not recovered from the damage Sophos inflicted upon it years ago... that's what's frustrating.

It's frustrating to me that while Sophos' forum is a better layout, the "I don't care about current users' experience" rollout by Sophos years ago, with the abrupt shutdown of the Astaro phpBB-based forum, resulted with a large number of knowledgeable users of UTM simply throwing up their hands to community involvement because this forum looks and operates nothing like the phpBB-based forum Astaro was; this made navigating this new forum a massive, frustrating inconvenience. So when a technical issue gets hundreds of views and no responses, it's frustrating that Sophos pushed out a lot of previous Astaro forum members who would have been able to chime in. I understand and agree with your point about not responding for a day to encourage community participation, as Sophos expecting yourself and a handful of others to always respond with technical advice isn't sustainable, let alone practical.

SilverStone DS380 | AsRock C2750D4I | Alienware 18 | In Win Chopin | SuperMicro A1SRi-2758F
2.4gHz 8C C2750 ; 32GB ECC | 2.5gHz 4C i7 4710MQ ; 32GB | 2.4gHz 8C C2758 ; 32GB ECC
Vantec 4C USB3 PCIe UGT-PCE430-4C | 8GB AMD SLI R9 M290x |
SSD | 850 EVO: 120GB | 1TB ; mSATA: 1TB (2) | 850 Pro: 128GB ; 850 EVO: 1TB
HDD | Seagate: { ST4000VN000 (8) } Z2 ; { HGST HTS721010A (3) } Z2 |
FreeNAS 11.2 | { PNY Turbo USB3 32GB (2) } Mirror | Win 10 Pro | ESXi 6.7: Sophos UTM 9.6

Various Wikis, Scripts, & Configs | Prebuilt OpenSSL Config
Cancel
Vote Up 0 Vote Down

Cancel