Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 5308 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static route from CLI being removed

Josh Sheehan

Hey there,

My DHCP IP address from my carrier is 203.xx.xx.xx/16 but the gateway is in a different subnet 100.xx.xx.01.. wacky system, but not one I was really expecting..

The issue I'm running in to is that I'm trying to establish a backup IPSec tunnel for this service and so I want the remote site to be specifically routed out of this interface.. I've attempted to set this in the GUI as follows but it the traffic just doesn't head out that interface.. I've tried SD-WAN routes too.. but again, it stubbornly refuses to go out this gateway..

What does work however is setting a static route via the CLI..

XG115_XN02_SFOS 19.0.1 MR-1-Build365# ip route add 202.xxx.xxx.xxx/32 dev Port2

XG115_XN02_SFOS 19.0.1 MR-1-Build365#

This works really well and the failover configuration is fantastic.. until at midnight a day or two later the static route is removed..

Any help would be greatly appreciated..



This thread was automatically locked due to age.
  • 0

    Hi Josh,

    Thank you for reaching out to Sophos Community.

    Any findings from Log viewer,?events under Admin, or you can try to check the zebra.log

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0

    ip route commands on advanced shell are not officially supported and will be replaced after a while (or reboot). 

    You should configure the route via Webadmin. If you do it via Webadmin, the route should work - If not, you should look into the packet capture and check the route precedence. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok, but what about IPSec? What if iwanna add statuc route to IPSec via GUI? I cant select nexthop as IPsec interface. Or im missing sth. In GUI i can choose it only in multicast routing int is called "ipsec connections" 

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • 0 in reply to Regex

    Generally speaking, Ipsec will set own routes via Policy based VPN. So there are routes between Local and remote subnet.

    You can manually set a route as well: support.sophos.com/.../KB-000035839

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for your response.. while it SHOULD work, unfortunately it just doesn't.. 

    My route precedence has statics as numero uno..

    console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. SD-WAN policy routes
    3. VPN routes

    I've deleted and re-added the route via Webadmin.. zebra.log shows that it's been applied..

    2022/12/21 22:24:06Z ZEBRA: Calling static_delete_ipv4

    2022/12/21 22:24:06Z ZEBRA: Calling static_uninstall_ipv4

    2022/12/21 22:24:07Z ZEBRA: ####Applied static route successfully
    2022/12/21 22:24:38Z ZEBRA: ####Applied static route successfully

    The traffic stubbornly chooses to follow default and heads out the wrong port.. the static tells it to use Port2, but it keeps going out Port3.. I've even tried using a more general /29 to see if it improves but no change..

    XG115_XN02_SFOS 19.0.1 MR-1-Build365# tcpdump -ni any host 202.xxx.xxx.218
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    09:29:12.906663 Port3, OUT: IP 203.xxx.xxx.15.500 > 202.xxx.xxx.218.500: isakmp: parent_sa ikev2_init[I]
    09:29:54.897073 Port3, OUT: IP 203.xxx.xxx.15.500 > 202.xxx.xxx.218.500: isakmp: parent_sa ikev2_init[I]
    09:31:10.481287 Port3, OUT: IP 203.xxx.xxx.15.500 > 202.xxx.xxx.218.500: isakmp: parent_sa ikev2_init[I]
    09:31:14.481522 Port3, OUT: IP 203.xxx.xxx.15.500 > 202.xxx.xxx.218.500: isakmp: parent_sa ikev2_init[I]
    09:31:21.681874 Port3, OUT: IP 203.xxx.xxx.15.500 > 202.xxx.xxx.218.500: isakmp: parent_sa ikev2_init[I]
    09:31:34.642293 Port3, OUT: IP 203.xxx.xxx.15.500 > 202.xxx.xxx.218.500: isakmp: parent_sa ikev2_init[I]
    09:31:57.970626 Port3, OUT: IP 203.xxx.xxx.15.500 > 202.xxx.xxx.218.500: isakmp: parent_sa ikev2_init[I]

    Put the route in via CLI.. 

    XG115_XN02_SFOS 19.0.1 MR-1-Build365# ip route add 202.xxx.xxx.216/29 dev Port2
    XG115_XN02_SFOS 19.0.1 MR-1-Build365# tcpdump -ni any host 202.xxx.xxx.218
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    09:50:20.800267 Port2, OUT: ARP, Request who-has 202.xxx.xxx.218 tell 203.xxx.xxx.15, length 28
    09:50:21.408599 Port2, IN: ARP, Reply 202.xxx.xxx.218 is-at a8:d0:e5:52:18:01, length 46
    09:50:21.408630 Port2, OUT: IP 203.xxx.xxx.15.500 > 202.xxx.xxx.218.500: isakmp: parent_sa ikev2_init[I]
    09:50:23.177610 Port2, IN: IP 202.xxx.xxx.218.500 > 203.xxx.xxx.15.500: isakmp: parent_sa ikev2_init[R]
    09:50:23.187419 Port2, OUT: IP 203.xxx.xxx.15.500 > 202.xxx.xxx.218.500: isakmp: child_sa ikev2_auth[I]
    09:50:23.909241 Port2, IN: IP 202.xxx.xxx.218.500 > 203.xxx.xxx.15.500: isakmp: child_sa ikev2_auth[R]

    Unfortunately, the route removal certainly appears to be by design.. it happens bang on 12:00 every couple of days, which is a bit of shame because the solution is be actively removed by Sophos...

  • +1 in reply to Josh Sheehan

    So you want to control, which Interface / route is being used for IPsec, is this your goal? 

    Static routing is likely not the correct approach here.

    Try the following: 

    Add an SD-WAN route for your traffic (your destination for example).

    https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANRoutes/RoutingSDWANRoutesAdd/index.html

    Then check if the SD-WAN Routes are applied for System generated traffic: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANRoutes/RoutingSDWANRoutesBehavior/index.html#reply-packets

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    That's it!.. SD-WAN policy route with the console command to ensure that system generated traffic goes out the correct port..

    Thanks very much for your assistance and sharing your knowledge..

Unfiltered HTML