Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 41 subscribers
  • Views 3909 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Second Gateway

Mike72

Dear All,

I'm Looking for help as I can't configure a second Gateway on my XG. 

My Scenario:

I have one Sophos UTM and one Sophos XG which both Uplink via WAN/NAT to the same ISP Router.

Both protect local LANs with their Firewalls and are interconnected. Everything works fine. I can reach all subnets with corresponsing rules.

As the XG has a WAN interface towards the ISP Router, it can route the Guest LAN Traffic directly to the Uplink router.

 

Now to my Problem:

I want to router the traffic from LAN2 via the UTM towards the ISP Router, in order to have only one set of Firewall rules for "friendly" traffic.

To my understanding this should by possible via Policy Based Routing.

In order to Setup the Policy based routing I need to add a second Gateway (192.168.10.1 via 192.168.10.2).

But this Fails with "Gateway Host xxx can not be added". 

I have no clue why.

 

A hint would be greatly appreciated.

Best wishes & you all stay healthy 

Mike



This thread was automatically locked due to age.
Parents
  • 0

    Could you change the Name of the Gateway a bit? Maybe "LAN" is to generic for the Gateway, because the configuration looks fine to me.

     

    if not, go to the Advanced shell (Option 5 / 3) and check the applog while adding the Gateway.

    less /log/applog.log   

    Go to the bottom and recreate the gateway. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you for your quick Reply.

     

    I tried naming it "Mike" (just for the fun of it), but unfortunately no Change.

    from applog.log:

    Apr 08 09:50:14 Request type = 1
    Apr 08 09:50:14 apiInterface:versionsupported: true.
    Apr 08 09:50:14 apiInterface:request mode -> 4301.
    Apr 08 09:50:14 apiInterface:Current ver :::'1702.1'
    Apr 08 09:50:14 apiInterface:entityjson::::::::network::gatewayobject=HASH(0xab73b00)
    Apr 08 09:50:14 Info:: Transaction will not be rolled back for opcode add_gateway_object. If any operation fails, request is part of multiple request :
    Apr 08 09:50:15 add_gateway_config failed
    Apr 08 09:50:15 add_gateway_object Failed

  • 0 in reply to Mike72

    You have to look at the more expand view of this log. 

    Your part is only the "It does not work, so i will revert it" part. 

    Look at the entries above this one. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Dear Toni,

    please excuse if I'm on the slow side here. But there is nothing in the log above relating to this.

    I just performed the action twice for you to see:

    Apr 08 19:11:59 Request type = 1
    Apr 08 19:11:59 apiInterface:versionsupported: true.
    Apr 08 19:11:59 apiInterface:request mode -> 4301.
    Apr 08 19:11:59 apiInterface:Current ver :::'1702.1'
    Apr 08 19:11:59 apiInterface:entityjson::::::::network::gatewayobject=HASH(0xab737e8)
    Apr 08 19:11:59 Info:: Transaction will not be rolled back for opcode add_gateway_object. If any operation fails, request is part of multiple request :
    Apr 08 19:11:59 add_gateway_config failed
    Apr 08 19:11:59 add_gateway_object Failed
    Apr 08 19:12:57 Request type = 1
    Apr 08 19:12:57 apiInterface:versionsupported: true.
    Apr 08 19:12:57 apiInterface:request mode -> 4301.
    Apr 08 19:12:57 apiInterface:Current ver :::'1702.1'
    Apr 08 19:12:57 apiInterface:entityjson::::::::network::gatewayobject=HASH(0xab737c8)
    Apr 08 19:12:57 Info:: Transaction will not be rolled back for opcode add_gateway_object. If any operation fails, request is part of multiple request :
    Apr 08 19:12:57 add_gateway_config failed
    Apr 08 19:12:57 add_gateway_object Failed

    Hope I'm not missing anything stupid.

    Anyway to increase Log Level ?

  • 0 in reply to Mike72

    You could take a look at the csc.log. There are plenty of information about the object called in your applog.log. 

    Maybe you will find something there? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    from csc.log:

    ERROR     Apr 10 15:10:40  [listener:1093]: worker 14062 killed
    ERROR     Apr 10 15:10:40  [listener:1093]: csc_waitpid: pid(14062) exited with signal 9
    ERROR     Apr 10 15:10:40  [listener:1093]: worker 14147 killed
    CRITICAL  Apr 10 15:10:40  [worker:14147]: read_packet: read error 'Interrupted system call'
    ERROR     Apr 10 15:10:40  [listener:1093]: csc_waitpid: pid(14147) exited with signal 9
    ERROR     Apr 10 15:10:40  [listener:1093]: ln_recvfrom: fd '97.TCP.INET.auxilary': peer connection closed'Success'

     PAckage ::::network::gatewayobjectERROR     Apr 10 15:10:40  [listener:1093]: worker 14154 killed
    CRITICAL  Apr 10 15:10:40  [worker:14154]: read_packet: read error 'Interrupted system call'
    ERROR     Apr 10 15:10:40  [listener:1093]: csc_waitpid: pid(14154) exited with signal 9

    No clue what this could tell me

  • 0 in reply to Mike72

    You need to expand the view. 

    Try to look at this one with more time frame. 

     

    If you do a tailf applog.log 

    Then create the object. Look at the same time, you press create, at the Putty. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I copied some more from applog.log.

    Apr 10 22:05:18
    Graph[0]= policyconn , time[0]= hourly , Substrs[0]=NA
    Apr 10 22:05:18
    ->input_string=policyconn,hourly,NA
    Apr 10 22:06:12 Request type = 1
    Apr 10 22:06:12 apiInterface:versionsupported: true.
    Apr 10 22:06:12 apiInterface:request mode -> 4301.
    Apr 10 22:06:12 apiInterface:Current ver :::'1702.1'
    Apr 10 22:06:12 apiInterface:entityjson::::::::network::gatewayobject=HASH(0xa267988)
    Apr 10 22:06:12 Info:: Transaction will not be rolled back for opcode add_gateway_object. If any operation fails, request is part of multiple request :
    Apr 10 22:06:12 add_gateway_config failed
    Apr 10 22:06:12 add_gateway_object Failed

    From my point of view only the 22:06 lines relate to my "Create Gateway" Action.

    Unfortunately I can't get any reason why the create fails.

    Btw. Upgraded to SFOS 17.5.11 MR-11 , but makes no difference

  • 0 in reply to Mike72

    After Upgrading to SFOS 17.5.11 MR-11 the Web Management can no longer display the Configuration/Network Page. "Check your network Connection".

    Downgrading to SFOS 17.5.11 MR-10 the page is displayed again.

Reply Children
  • 0 in reply to Mike72

    Hi Mike72,

    did you try clearing the cache after the upgrade?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,

    thanks for the hint.

    Back on (SFOS 17.5.11 MR-11).

     

    P.S.: For everybody moving back and forth make shure to Upload the new Firmware again. Otherwise the config won't get migrated from the previous version.

    Might cause some nasty suprises if you changed config on the old image in the meantime.

  • +1 in reply to Mike72

    Hi Guys, somehow I managed to solve it by accident.

    I was able to create the Gateway by supplying a NAT Rule (MASQ).

    Once the Gateway was created I was able to switch it to no NAT Rule.

    Works now. Thanks for your help.

    Have a great easter holiday & stay safe

     

Unfiltered HTML