This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 with AWS Site-to-Site VPC: Tunnels up, but no ping

I've got an installation of Sophos UTM 9 connected to four AWS VPCs with Site-to-Site. I created Customer Gateways, Virtual Private Gateways and a Site-To-Site connection in each of the private VPCs. I then exported the configuration from AWS and imported into Sophos. So far so good - the tunnels are up. I've set the route tables to propagate routes and the route tables seem to be OK.

 

However, when I try to ping an EC2 in one of the private VPCs, I get 100% packet loss:

 

PING 10.93.1.4 (10.93.1.4) 56(84) bytes of data.

 

--- 10.93.1.4 ping statistics ---

5 packets transmitted, 0 received, 100% packet loss, time 4032ms

 

If I try traceroute, I get the following:

 

traceroute to 10.93.1.4 (10.93.1.4), 30 hops max, 40 byte packets using UDP

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

 

I set up a static route to the VPC, using the internal network card as the gateway, and I get the following response from traceroute:

 

1 10.93.1.4 (10.93.1.4) 2.209 ms 1.688 ms 1.850 ms

2 10.93.1.4 (10.93.1.4) 4.789 ms 4.688 ms 4.018 ms

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 10.93.1.4 (10.93.1.4) 9.051 ms 8.660 ms 8.439 ms

10 10.93.1.4 (10.93.1.4) 9.112 ms 8.900 ms *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 10.93.1.4 (10.93.1.4) 14.498 ms * *

17 10.93.1.4 (10.93.1.4) 15.581 ms * *

18 * * *

19 * * *

20 * * *

21 * * *

22 * * *

23 10.93.1.4 (10.93.1.4) 19.517 ms * *

 

This looks like I'm getting intermittent pings back.

 

What is going on? Am I on the right path with the static route?

 

Thanks for any help!



This thread was automatically locked due to age.
Parents
  • Are you trying these pings & traceroutes from a desktop on the UTM LAN or directly from the UTM Webadmin via diagnostic tools?  Also, do you have a MASQ rule or an SNAT rule to source the traffic from your LAN?  

     

    Tim

  • I've tried pinging from the Webadmin diagnostics tools to a test EC2, and also from the test EC2 to the internal IPs of the Sophos EC2.

     

    I have MASQ rules set up to allow traffic from the internal networks to the internet and a NAT rule that forwards RADIUS traffic to our single sign on service provider (onelogin).

     

    Thanks for your help!

     

    Martin

  • Oh and get rid of that static route, it shouldn't be required for this configuration.  The issue can be resolved without it.  

  • OK, adding that SNAT helped - but I still can't ping from the Web Admin UI. I can, however, now ping my EC2 if I open a tunnel from my laptop to Sophos using OpenVPN. That's great because it means I can remove my internet gateway and start telling everyone to use the VPN. I don't understand why the ping isn't working from Sophos though?

     

    I've also tested pinging from the EC2 back to the Sophos and that seems to work too now.

     

    So, I'm basically there - just a little confused why ping from the Web Admin doesn't work.

     

     

    Thanks a lot for your help!

     

    Martin

  • Hmmm, usually pinging from the Webadmin is fixed with the SNAT.  If you can ping from EC2 to the UTM, I don't think it's a route problem.  Possibly it's something security related, i.e. a security group issue on the instance you're trying to ping to?  You could always try to enable VPC flow logs and then use that to confirm that the VPC is receiving the pings.  

    Humor me by running the following commands in a SSH session (replace 1.2.3.4 with the IP address you're trying to ping from the webadmin):

    ip route get 1.2.3.4 

    ping 1.2.3.4

    conntrack -L | grep icmp.*1.2.3.4

    Tim

  • loginuser@utm-01:/home/login > ip route get 10.93.1.4
    10.93.1.4 via 169.254.46.85 dev vpc3.1  src 169.254.46.86
        cache

     

    loginuser@utm-01:/home/login > ping 10.93.1.4
    PING 10.93.1.4 (10.93.1.4) 56(84) bytes of data.
    64 bytes from 10.93.1.4: icmp_seq=1 ttl=254 time=1.97 ms
    64 bytes from 10.93.1.4: icmp_seq=2 ttl=254 time=1.81 ms
    64 bytes from 10.93.1.4: icmp_seq=3 ttl=254 time=1.79 ms
    64 bytes from 10.93.1.4: icmp_seq=4 ttl=254 time=1.83 ms
    64 bytes from 10.93.1.4: icmp_seq=5 ttl=254 time=1.81 ms
    64 bytes from 10.93.1.4: icmp_seq=6 ttl=254 time=1.74 ms
    64 bytes from 10.93.1.4: icmp_seq=7 ttl=254 time=1.83 ms

     

     

    loginuser@utm-01:/home/login > sudo /usr/sbin/conntrack -L | grep icmp.10.93.1.4
    conntrack v1.4.2 (conntrack-tools): 57 flow entries have been shown.

     

    Hope that helps!

     

    Thanks,

     

    Martin

  • Wait, you're getting a reply to the icmp requests though.  If ping isn't working from the UTM, shouldn't that go unanswered?  

    P.S. in the conntrack -L command, make sure to put 'grep icmp.*1.2.3.4', not 'grep icmp.1.2.3.4'.  You get different results if you exclude the *.  

    Tim

  • I should have mentioned in my last post - ping is working in both directions now - I can ping the UTM from the internal network, and from the external network through the tunnel - just not the web admin UI. I agree - this is a bit strange!

     

    loginuser@utm-01:/home/login > sudo /usr/sbin/conntrack -L | grep icmp.*10.93.1.4
    conntrack v1.4.2 (conntrack-tools): 37 flow entries have been shown.
    icmp     1 2 src=169.254.46.86 dst=10.93.1.4 type=8 code=0 id=46866 packets=5 bytes=420 src=10.93.1.4 dst=10.91.3.254 type=0 code=0 id=46866 packets=5 bytes=420 mark=528384 delta-time=32 use=1

     

    I had to run ping again from the web admin to get this log - and this time it worked. I'm a little confused why its working now but not before, possibly because of a bad security group configuration? The good news is that everything is now working as expected - including the web admin ping.

     

    Thanks for your continued assistance,

     

    Martin

  • Possibly a bad security group, possibly something with the UTM, possibly the gravity from the moon, who knows :P   What's important is that it's working for you now. 

    Feel free to post here again if it suddenly stops working again, otherwise good luck Martin!

     

    Tim 

  • Hello Tim,

     

    i've did exactly as you wrote but still facing the issue. all AWS networks are available from behind the UTm but not directly from the WebAdmin.

    even if i'm using vlans, it shouldn't make a difference ....

     

    every help would be appreciated!

    thanks in advance.

    GReets

  • Hoi Rene and welcome to the UTM Community!

    See #2 n Rulz (last updated 2019-04-17), especially 3.  What did you change that made pinging work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    thanks for your quick reply. I just got it working by enabling "Rule applies to IPSec packets" in SNAT configuration

    Greets from Munich.

    Rene

Reply Children
No Data