Sophos XG Home - Hyper-V no internet connection

HI All,

 

I am facing a weird issue with XG lates fimrware 16_05_8320.

 

First things first, here is the description of my environment:

 

Hyper-V host is acting as DNS and have 3 Physical NICs  - all Realtek chipset (8168B/8111B) PCIe GBE Family Controller drivers updated to latest version available (8.53.323.2017). (1 integrated on board and 2 PCIe cards TP-LINK: http://www.tp-link.com/us/products/details/cat-5519_TG-3468.html)

The integrated card is plugged to Zyxel NBG-6515 device which act as Wireless AP and use switch mode. (it can operate in Router, Switch and Bridge mode)

The other two NICs are dedicated for Sophos XG Home (LAN and WAN) - I am not using the Virtual Switch mode for Hyper-V - they are purely dedicatad to Sophos XG Home VM.

I used the MAC address of the Switch for the WAN side to get te same IP adress I used to have from my ISP. I have a Thomson THG571 Cable modem from the ISP which is operates in Bridge mode I guess (when I reboot first I get IP range 192.168.100.x and after while it gets me my public IP)

The firewall operates also as DHCP for my internal LAN 192.168.1.x

 

The ISSUE:

 

1. I just get updated my WAN IP once I restarted the cable modem.

2. Everything looks fine, I´ve got my public IP and have internet connection and the interface icon is green.

3. After around 2 minutes the interface icon turns to red - the PortB or Port2 shows Connected status and active but it is not active because no internet sites can be reached. And if I restart the VM then I just get 128.0.0.0 IP adress on the WAN side.

- I tried tracert, nslookup, and all sorts of techniques to get sorted what is the problem, but I have no more ideas

- the logs basically shows nothing (System log: GW down; Firewall log: Some Local ACL Denied for ports 67 to 68 and IP 255.255.255.255)

- I have enabled any to any firewall rule from LAN to WAN and no matching user and also MASQ enabled on WAN

4. When I connects the WAN interface to the Zyxel NBG-6515 If it is in router mode then it is working without any issues (off course i have changed the internal LAN IP range to be on 172.x.x.x) so therefore it cannot be related to the VM or Physical interface.

 

everywhere I am using CAT5 straight cables. NO Cross-overs in use!

 

Could anybody explain me what is the difference of the connection when I am connected to the modem and the router with the XG WAN port? what communication should go on and on what layer, because I am suspecting that the modems connection direcrly to the NIC is the issue.

 

Some other background info: 

I also installed on Custom HW the Firewall image which have two integrated Intel 10/100/1000T NICs , 80GB Samsung SATA HDD, i3 4 core CPU, 4GB EEC RAM, SUPERMICRO board - this setup worked without any issue even after I upgraded to the latest firmware.

  • Tibor,

    here the issue can be on "not using virtual switches on Hyper-V" or some issue related to Hyper-V XG Image.

    Did you use the Hyper-V image or did you create a blank VM and installed XG SW version?

    Thanks

  • In reply to lferrara:

    Hi,

     

    thanks for you reply. I tried both - Virtual image and blank VM installed from scratch used thre software installer. Both results were the same.

     

    What i noticed as a only difference that in the Virtual image the Ports are called PortA/PortB and when I installed it they are called Port1/Port2.

     

    Without virtual switches is not possible to dedicate the Physical NIC to the VM. This info was a bit confusing in my previous post - sorry (I ment by that that the NICs are not shared between the host and the XG VM, but dedicated only to the VM) Please see the screenshot regarding the Virtual switch configuration. 

    Any other troubleshooting technique is welcome.

     

    Thanks 

     

  • In reply to Tibor Soós:

    Tibor,

    connect to XG advanced shell and type:

    cd /log

    tail -f dgd.log

    check if there are some useful logs about the gateway status (up and down). You can even share them here. Thanks

  • In reply to lferrara:

    So I did the logging, and the results are here:

    Oct 12 09:53:24 [3216]: Main, entities count: 1

    DEBUG Oct 12 09:53:24 [3216]: Initiating Ping : 109.61.120.1

    DEBUG Oct 12 09:53:24 [3216]: GW (DHCP%5fPortB%5fGW,PortB) : Waiting for re
    ply

    DEBUG Oct 12 09:53:24 [3216]: Success, Retrying(1) Ping : 109.61.120.1
    DEBUG Oct 12 09:53:24 [3216]: GW (DHCP%5fPortB%5fGW,PortB) : Waiting for re
    ply
    DEBUG Oct 12 09:53:24 [3216]: Current Status : Live

    DEBUG Oct 12 09:53:24 [3216]: Ping Result for : 109.61.120.1
    DEBUG Oct 12 09:53:24 [3216]: Ping : S
    DEBUG Oct 12 09:53:24 [3216]: Current Status [GW(DHCP%5fPortB%5fGW,PortB)]
    : Live
    DEBUG Oct 12 09:53:24 [3216]: Sleep for 60 Seconds

    NOTICE Oct 12 09:53:24 [3216]: Actiontree, executing: Dead_To_Live @DHCP%5fP
    ortB%5fGW

    DEBUG Oct 12 09:53:24 [3217]: Executing Service : <gateway:gw_dead_to_live>
    args : <{"param":"@DHCP%5fPortB%5fGW"}>
    DEBUG Oct 12 09:54:24 [3216]: Initiating Ping : 109.61.120.1

    DEBUG Oct 12 09:54:24 [3216]: GW (DHCP%5fPortB%5fGW,PortB) : Waiting for re
    ply

    DEBUG Oct 12 09:54:26 [3216]: Failed, Retrying(1) Ping : 109.61.120.1
    DEBUG Oct 12 09:54:26 [3216]: GW (DHCP%5fPortB%5fGW,PortB) : Waiting for re
    ply
    DEBUG Oct 12 09:54:26 [3216]: Current Status : Live

    DEBUG Oct 12 09:54:28 [3216]: Failed, Retrying(2) Ping : 109.61.120.1
    DEBUG Oct 12 09:54:28 [3216]: GW (DHCP%5fPortB%5fGW,PortB) : Waiting for re
    ply
    DEBUG Oct 12 09:54:28 [3216]: Current Status : Live

    DEBUG Oct 12 09:54:30 [3216]: Failed, Retrying(3) Ping : 109.61.120.1
    DEBUG Oct 12 09:54:30 [3216]: GW (DHCP%5fPortB%5fGW,PortB) : Waiting for re
    ply
    DEBUG Oct 12 09:54:30 [3216]: Current Status : Live

    DEBUG Oct 12 09:54:32 [3216]: Failed, Retrying(4) Ping : 109.61.120.1
    DEBUG Oct 12 09:54:32 [3216]: GW (DHCP%5fPortB%5fGW,PortB) : Waiting for re
    ply
    DEBUG Oct 12 09:54:32 [3216]: Current Status : Live

    DEBUG Oct 12 09:54:34 [3216]: Failed, Retrying(5) Ping : 109.61.120.1
    DEBUG Oct 12 09:54:34 [3216]: GW (DHCP%5fPortB%5fGW,PortB) : Waiting for re
    ply
    DEBUG Oct 12 09:54:34 [3216]: Current Status : Live

    DEBUG Oct 12 09:54:36 [3216]: Ping Result for : 109.61.120.1
    DEBUG Oct 12 09:54:36 [3216]: Ping : F
    DEBUG Oct 12 09:54:36 [3216]: Current Status [GW(DHCP%5fPortB%5fGW,PortB)]
    : Dead
    DEBUG Oct 12 09:54:36 [3216]: Sleep for 60 Seconds

    NOTICE Oct 12 09:54:36 [3216]: Actiontree, Live to Dead
    NOTICE Oct 12 09:54:36 [3216]: Actiontree, executing: Live_To_Dead @DHCP%5fP
    ortB%5fGW

    DEBUG Oct 12 09:54:36 [3456]: Executing Service : <gateway:gw_live_to_dead>
    args : <{"param":"@DHCP%5fPortB%5fGW"}>

     

    It was working for 12 minutes once I olugged the WAN to the modem and restarted the modem - there was also a need to refresh the WAN interface to get the IP from the ISP, then after a few minutes the GW went down and if I refreshed the WAN interface through the GUI I got 128.0.0.1 IP. Then I restarted the modem again a got he IP again but after a 2 minutes it was down again.

  • In reply to Tibor Soós:

    Tibor,

    change the cable, set the WAN port to a fixed speed and try again.

    It does not seem a mac-address issue because on Physical appliance, it works.

    Regards

  • In reply to lferrara:

    Hi Luk,

     

    The cable is tested and working without issue. The same cable was working with the HW appliacne. The speed for the interface was set to 1.0Gbps Full duplex already.

     

    BR, T

  • In reply to Tibor Soós:

    Tibor,

    enable https even on WAN and try to swap the 2 physical NICs on Hyper-V and try again.

    Regards

  • In reply to lferrara:

    Hi Luk,

     

    thanks for the tip. I was thinking about the same to switch the NICs. At least I switched the WAN NIC to the integrated on my MB and now it seems to be working.

     

    I can just guessing why the other NIC is not kept the IP address from the modem. All NICs are on PCIe bus, and using the same chipset and drivers. I would say it has something to do with the way how my modem handles the integrated NICs and PCI card NICs. No other idea why it should not work.

     

    Anyway thanks for your help I am running now on v17 beta2 and awaiting the full release. I just noticed that access to the community.sophos.com is really slow if the Firewall is in use, all other sites response is fine as far as I noticed.

     

    BR, T

  • In reply to Tibor Soós:

    Hi,

    I jsut wanted to update the thread with my findings. The issue was with the physical NIC - it seems that it is not working properly. The upstream capabilities are affected, therefore it also dropped the modems connection. 

    I changed the config like following: 

    - Hyper-V host machine I conencted to the Sophos LAN virtual switch - so basically i allowed the management system to share the NIC of the Sophos LAN

    Now everything is working perfectly and I will propably return the ohter PCIe card to the seller cause its not working for 100%

     

    I am running now on firmware v17 RC1 and no issues so far. AD Authentication /VPN and forwarding working as expected. The webpages are loading fast and smooth and outlook behaves normaly.

     

    Thanks again for the help.

     

    Conclusion: HW failure is always an option :)