Sophos UTM 9 with AWS Site-to-Site VPC: Tunnels up, but no ping

Are you trying these pings & traceroutes from a desktop on the UTM LAN or directly from the UTM Webadmin via diagnostic tools?  Also, do you have a MASQ rule or an SNAT rule to source the traffic from your LAN?  

Tim

I've tried pinging from the Webadmin diagnostics tools to a test EC2, and also from the test EC2 to the internal IPs of the Sophos EC2.

I have MASQ rules set up to allow traffic from the internal networks to the internet and a NAT rule that forwards RADIUS traffic to our single sign on service provider (onelogin).

Thanks for your help!

Martin

Martin, when the UTM initiates traffic, it will use the inside tunnel interface IP address as the source IP.  This of course is a 169.x.x.x address, which your VPC or Subnet's route table on AWS likely does not have an entry for and thus the traffic, icmp in your case, will not return to the UTM. 

Create a SNAT rule that says Any source, using any service, going to the VPC subnet, change the source IP address to the green internal interface address object for your LAN network.  This will source the traffic from a network which AWS has a route to.  You can leave automatic firewall rules disabled for this rule if you control access to/from the VPC through user created firewall rules.  Then try to ping from the UTM.  

This however wouldn't account for why you wouldn't be able to ping from an EC2 instance to the UTM's interface IP address, but 1 thing at a time.  

Tim

Oh and get rid of that static route, it shouldn't be required for this configuration.  The issue can be resolved without it.  

OK, adding that SNAT helped - but I still can't ping from the Web Admin UI. I can, however, now ping my EC2 if I open a tunnel from my laptop to Sophos using OpenVPN. That's great because it means I can remove my internet gateway and start telling everyone to use the VPN. I don't understand why the ping isn't working from Sophos though?

I've also tested pinging from the EC2 back to the Sophos and that seems to work too now.

So, I'm basically there - just a little confused why ping from the Web Admin doesn't work.

Thanks a lot for your help!

Martin

Hmmm, usually pinging from the Webadmin is fixed with the SNAT.  If you can ping from EC2 to the UTM, I don't think it's a route problem.  Possibly it's something security related, i.e. a security group issue on the instance you're trying to ping to?  You could always try to enable VPC flow logs and then use that to confirm that the VPC is receiving the pings.  

Humor me by running the following commands in a SSH session (replace 1.2.3.4 with the IP address you're trying to ping from the webadmin):

ip route get 1.2.3.4 

ping 1.2.3.4

conntrack -L | grep icmp.*1.2.3.4

Tim

loginuser@utm-01:/home/login > ip route get 10.93.1.4
10.93.1.4 via 169.254.46.85 dev vpc3.1  src 169.254.46.86
    cache

loginuser@utm-01:/home/login > ping 10.93.1.4
PING 10.93.1.4 (10.93.1.4) 56(84) bytes of data.
64 bytes from 10.93.1.4: icmp_seq=1 ttl=254 time=1.97 ms
64 bytes from 10.93.1.4: icmp_seq=2 ttl=254 time=1.81 ms
64 bytes from 10.93.1.4: icmp_seq=3 ttl=254 time=1.79 ms
64 bytes from 10.93.1.4: icmp_seq=4 ttl=254 time=1.83 ms
64 bytes from 10.93.1.4: icmp_seq=5 ttl=254 time=1.81 ms
64 bytes from 10.93.1.4: icmp_seq=6 ttl=254 time=1.74 ms
64 bytes from 10.93.1.4: icmp_seq=7 ttl=254 time=1.83 ms

loginuser@utm-01:/home/login > sudo /usr/sbin/conntrack -L | grep icmp.10.93.1.4
conntrack v1.4.2 (conntrack-tools): 57 flow entries have been shown.

Hope that helps!

Thanks,

Martin

Wait, you're getting a reply to the icmp requests though.  If ping isn't working from the UTM, shouldn't that go unanswered?  

P.S. in the conntrack -L command, make sure to put 'grep icmp.*1.2.3.4', not 'grep icmp.1.2.3.4'.  You get different results if you exclude the *.  

Tim

I should have mentioned in my last post - ping is working in both directions now - I can ping the UTM from the internal network, and from the external network through the tunnel - just not the web admin UI. I agree - this is a bit strange!

 

loginuser@utm-01:/home/login > sudo /usr/sbin/conntrack -L | grep icmp.*10.93.1.4
conntrack v1.4.2 (conntrack-tools): 37 flow entries have been shown.
icmp     1 2 src=169.254.46.86 dst=10.93.1.4 type=8 code=0 id=46866 packets=5 bytes=420 src=10.93.1.4 dst=10.91.3.254 type=0 code=0 id=46866 packets=5 bytes=420 mark=528384 delta-time=32 use=1

I had to run ping again from the web admin to get this log - and this time it worked. I'm a little confused why its working now but not before, possibly because of a bad security group configuration? The good news is that everything is now working as expected - including the web admin ping.

Thanks for your continued assistance,

Martin

Possibly a bad security group, possibly something with the UTM, possibly the gravity from the moon, who knows :P   What's important is that it's working for you now. 

Feel free to post here again if it suddenly stops working again, otherwise good luck Martin!

Tim 

Possibly a bad security group, possibly something with the UTM, possibly the gravity from the moon, who knows :P   What's important is that it's working for you now. 

Feel free to post here again if it suddenly stops working again, otherwise good luck Martin!

Tim