Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2 Connection Between XGS2100

I am having issues configuring a connection between two Sophos firewalls and i am hoping someone can help.

The firewalls are installed in two datacenters which are operated by the same provider, both sites are currently configured with a WAN/internet connection and traffic is routed via an IPSEC VPN.

A new 1GB service has been installed to connect both sites, this service is an MPLS connection managed by the data center and will provide Layer 2 connectivity between both locations. The service is delivered by a primary and backup MPLS circuit, the provider has also referred to the circuit as a Pseudowire.

I believe there are two options with regards to the configuration, connect the service to a switch at either site so that a VLAN or many could then span both locations or connect the service to a firewall at each site and configure routing. i plan to configure the connection on the firewall.

Each site already has a Sophos XGS 2100 Active/Passive HA Pair, monitoring will be configured via PING and in the event of a issue failover.

The primary circuit has been connected to the active firewall at both sites at PORT 6. Port 6 has been configured as a LAN port SITE A (DERBY) 10.110.255.1/24, SITE B (WAKE) 10.110.255.2/24. The ports are up and negotiated at 1000 Mbps FULL duplex but i am unable to complete a ping test using the firewall diagnostics.

Below is the port configuration at both sites.

And packet captures when completing a PING from either site.



WAKE does appear to be receiving traffic from DERBY.

The ARP Table from both sites.


From my tests and with assistance from SOPHOS Support it appears that the connection is not functioning correctly but the service provider assures me their tests have been successful.

Is any additional configuration required other than the port ? Does any one have any suggestions of any tests that i can complete? i am trying to escalate this issue with the supplier.



This thread was automatically locked due to age.
Parents
  • I have identified the cause of the issue, Each site has been configured with the same HA cluster ID this has caused duplicate MAC Addresses. 

    I have created a MAC override but i have asked Sophos support for advice on best practices, i would like to avoid reconfiguring HA. alternatively i could avoid using Port6 at both sites.

    Does any one have any experience with duplicate MAC addresses and HA clusters ?

Reply
  • I have identified the cause of the issue, Each site has been configured with the same HA cluster ID this has caused duplicate MAC Addresses. 

    I have created a MAC override but i have asked Sophos support for advice on best practices, i would like to avoid reconfiguring HA. alternatively i could avoid using Port6 at both sites.

    Does any one have any experience with duplicate MAC addresses and HA clusters ?

Children