RED between UTM - routing works, but UTM on both sides can't access the network

"The only problem is, the UTMs can't access the networks on the other side, PING isn't working either.

Devices within this networks are able to access the other networks."

Sorry, you lost me.  What can access what where?  What can't access what where?  What items are selected on the 'ICMP' tab of 'Firewall' on both sides?

Cheers - Bob

Hi,

• Site 1 is a UTM with 10.30.0.0/23
• Site 2 is XG with 10.20.0.0/23

Devices within 10.20.0.0/23 can access everything within 10.30.0.0/23, except the XG.

Devices within 10.30.0.0/23 can access everything within 10.20.0.0/23, except the UTM. The UTM should connect to the Domaincontroller with 10.20.0.10 for User authentication.

The UTM gets a connection time out while testing the settings, as well as the UTM can't ping the server.

Traceroute shows, that there is a hop the RED Interface IP of the UTM, but nothing further.

The IPs are 10.20.0.1 and 10.30.0.1 and they are included in my rules...

10.20.0.0/23 and 10.30.0.0/23

OK, I'm having a really hard time understanding your setup. Here is the article on how to configure Site-to-Site RED tunnels: https://community.sophos.com/kb/en-us/120157

As showed in the article, RED interfaces have their own network on which they communicate and where you route traffic between the UTMs. I have dozens of setups like this and all of them have a separate network for RED communication. I don't see how your RED interfaces could have an IP from you internal network AND still route traffic to the other side, unless you are not using RED at all. So, to make things clear, please replace the diagram below with your current settings:

UTM1 LAN Network/Subnet -> UTM 1 LAN IP -> UTM 1 RED IP -> UTM 2 RED IP -> UTM 2 LAN IP -> UTM 2 LAN Network/Subnet.

Regards,

Giovani

Your current settings don't allow for trace routes or pings to transit the UTM nor do they allow the UTM to respond to trace routes or pings.  The "Any" service is TCP and UDP only - none of the other IP protocols are included.  Specifically, ping and trace route are not included in the "Any" service.

Cheers - Bob

Sorry for the poor description. But as mentioned initially, the rounting between the networks is set and works. With my MacBook in Net 1 I can access my Domain Controller in Net 2. That is not the problem. My problem is and that is what I don't understand, why the UTM from Net 1 can't connect to the ActiveDirectory for user authenticaton, there is a connection timeout.

What, if anything, do you learn from doing #1 in Rulz on both sides?

Cheers - Bob

Hey open.

I still think your RED interfaces have a different IP then what you are telling us. Some screenshots of your interfaces and static routing would really be helpful.

Bob, what I'm seeing is that his site-to-site communication is working, although I cannot for the life of me understand how if what he's saying is correct and his RED interfaces are is the same subnet as his LAN interfaces. What he needs is for his UTM to communicate with remote servers. Every time I had such a need it came down to allowing RED's interface IP address into the remote network by adding it to the firewall rules. But open claims his RED interfaces have IPs in the same network as his internal network and that those are covered by his current firewall rules. I truly cannot understand how this would be possible. Maybe you can have better luck figuring this out. 

Regards,

Giovani

It sounds like you will need to have Sophos Support take a look at this.  Please let us know what they discover and the fix.

Cheers - Bob

Hey Bob,

I think that too...

And I am going to hate XG. Since this morning I can't access the XG from the UTM, but the UTM from XG. There was not change to any setting at any appliance. In the meantime I have connected a third UTM appliance via RED, which can be accessed from and to any network.

Hey Bob,

I think that too...

And I am going to hate XG. Since this morning I can't access the XG from the UTM, but the UTM from XG. There was not change to any setting at any appliance. In the meantime I have connected a third UTM appliance via RED, which can be accessed from and to any network.