This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

utm to utm RED no longer working after rebuild

Hi all,

I have three personal UTMs that have been doing red tunnels for a couple of years, no issues.  All devices are behind NAT, and two of the devices are servers and the 3rd connects to each one as a client (the two "servers" do not communicate).

I rebuilt the one at my home with v17 XG and (eventually) got it to play nice with the client UTM.

The other server device stopped working recently after my mother in law moved (not a device issue as much as pebkac I think).  So I brought it home and figured I'd go ahead and also rebuild it with XG while I was at it (planning to rebuild the client device later this year).

No matter what I did post-rebuild, although the red tunnel would immediately connect and go green, I could not ping the red interfaces from one another.  Tried a number of things including another rebuild now that v18 XG is out but no dice.

Finally gave up and decided to revert to UTM, but I now get the same behavior there as well - RED tunnel goes green right away but interfaces cannot ping each other.  If I delete the port 3400 port forward pointing to the problem device and point 3400 back to my other server device things work just fine.

Can't for the life of me figure it out, unless there's some kind of weird incompatibility between the zotac hardware in the problem server box and my google fiber internet (mtu or something)?

Thanks!



This thread was automatically locked due to age.
  • Hi There,

    Would you post logs from red.log? Also, check the note on this KBA: https://community.sophos.com/kb/en-us/125101

    Regards

    Jaydeep

  • red.txt

     

    Hi, log attached.  Not sure what the KB is supposed to tell me?  I have a functional xg to sg tunnel on my other hardware configured exactly the same way as the problem one.  The problem one is exhibiting the issue on both XG and SG software...  thanks!

  • That log is too long.  Please just show the client and server logs from the moment you enable the client to the failure - probably less than 100 lines each.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, what exactly are we looking for?  The red tunnel connects successfully so not sure what we expect to see in the red log. Can you help narrow down what I’m looking for?  The problem isn’t something that has a point of failure per se - I simply can’t ping the red interfaces in either direction so I’m not sure if the issue is some kind of strange routing thing or what... thanks!

  • Is this as simple as 3. in Rule #2 in Rulz (last updated 2019-04-17)?  Or, is other traffic also not passing?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Howdy Bob, none of that appears to apply.

    Again, this exact configuration is working on my other hardware.  This exact configuration was working on this hardware previously too.

    So it seems that something has either happened with later revs of the software, or the hardware somehow has some weird bug that wasn't apparent in earlier versions of utm, or i am so boneheaded that i'm making the same weird mistake over multiple rebuilds in both xg and sg such that I'm smart enough to get the red tunnel to connect but too stupid to get the two interfaces to ping each other like the hundreds of other RED tunnels I manage do :-)  But I can't figure out what it is!

  • Hey neighbor,

    Do the firewall logs on the two sides show any related blocks?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, I couldn't find any evidence of traffic being blocked.  Firewall rules are wide open.

  • In you first post, you said, "If I delete the port 3400 port forward pointing to the problem device and point 3400 back to my other server device things work just fine."  Maybe we should look at the Edit of that NAT rule...  Also, I get lost on what's where, what works, what doesn't and what "doesn't work" means.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sure, sorry for the confusion.

     

    Basically, since I am doing this work at home and have two devices here currently (my normal one I use at home and the problem one), and I have a typical residential ISP, I can only have one device in use at a time with a basic NAT rule that passes port 3400 straight through.

    So when I have the NAT rule point to my own normal home device now running XG, things work just fine (just as they did previously when it was running SG).

    When I point the NAT rule to the problem device, the tunnel connects just fine but the red interfaces won't ping.