Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Content
Overview:
To avoid conflicting routing issues resulting in malfunctioning of RED connection problems between Sophos Firewall or UTM, we recommend always avoiding having the RED uplink network overlap with any split network part of the configuration.
E.g: the RED uplink router has the network range 192.168.1.0/24, and then one of the internals split network has the same network.
It is very common that some ISPs provide the routes/modem preset DHCP configuration to their devices on the range 192.168.1.0/24, which means that the RED WAN link will pull one IP of this range.
Scenario:
In a scenario where the conflict is existent, is possible to see on the syslog.log pulled out from the RED log some fallback calls, which are used whenever there might be a configuration/setup problem with the RED.
2019:08:01-11:40:10 hq-1 red_server[6922]: A3501F4A4555555: command '\{"data":
{"message":"Received device configuration from UTM using network fallback mode successfully"},"type":"DISCONNECT"}'
NOTE: In some circumstances having the RED uplink network overlapping with one of the split networks,
will not affect the tunnel connectivity, but those events having this configuration will not be guaranteed since this is not a supported setup.
What are the options or recommended approaches?
- Change the internal network of that split network being advertised
- Change the modem's private IP range to not be in the split network range (easiest and recommended)
- Change to full tunnel
- Put the ISP modem into bridge mode and have the public IP on the WAN interface of the RED. This won’t work if it's a PPPoE connection (most difficult, and not many modems and ISPs support this)
Horizontal Line, Grammar
[edited by: emmosophos at 10:52 PM (GMT -8) on 14 Nov 2023]