Customers might be unable to connect with us via the Sophos Malaysia Support Hotline number. Our teams are actively working on a fix. In the interim, we request customers to use the backup hotline number - +65 3157 5922 (Singapore) or raise a support request at https://support.sophos.com/.

Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 6 subscribers
  • Views 9743 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 cant reach servers in local net

AndrewSmith33

Hellow!

So, UTM 9 cant reach servers in local network from UTM itself as i said.

UTM have local interface 10.255.200.10. Server is 10.255.197.108. Firewall on server turned off.

I can ping UTM local interface, but i can not ping server IP.  

Traceroute from UTM:

traceroute to 10.255.197.108 (10.255.197.108), 30 hops max, 40 byte packets using UDP
 1  astaro.domain.com (UTM outside interface)(H!)  2997.048 ms (H!)  2995.811 ms (H!)  2994.614 ms

UTM is trying to reach this server using outside interface.

Routing table:

astaro:/root # ip route show table all
default via "ISP gateway" dev eth0  table 200  proto kernel onlink
local default dev lo  table 252  scope host
default via "ISP gateway" dev eth0  table default  proto kernel  metric 20 onlink
10.255.0.0/16 via 10.255.200.9 dev eth1  proto static  metric 5
10.255.200.8/29 dev eth1  proto kernel  scope link  src 10.255.200.10
"ISP network" dev eth0  proto kernel  scope link  src "UTM outside interface"
127.0.0.0/8 dev lo  scope link
broadcast 10.255.200.8 dev eth1  table local  proto kernel  scope link  src 10.255.200.10
local 10.255.200.10 dev eth1  table local  proto kernel  scope host  src 10.255.200.10
broadcast 10.255.200.15 dev eth1  table local  proto kernel  scope link  src 10.255.200.10
broadcast *.*.*.* dev eth0  table local  proto kernel  scope link  src "UTM outside interface"
local "UTM outside interface" dev eth0  table local  proto kernel  scope host  src "UTM outside interface"
broadcast *.*.*.* dev eth0  table local  proto kernel  scope link  src "UTM outside interface"
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
local ::1 dev lo  table local  proto none  metric 0
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101



This thread was automatically locked due to age.
  • 0 in reply to apijnappels

    Added another server (10.255.200.13)

    Ping from 10.255.200.13 to 10.255.200.12:

    >ping 10.255.200.12

    Pinging 10.255.200.12 with 32 bytes of data:
    Reply from 10.255.200.12: bytes=32 time<1ms TTL=128
    Reply from 10.255.200.12: bytes=32 time<1ms TTL=128

    Ping statistics for 10.255.200.12:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 0ms, Average = 0ms

    Traceroute from 10.255.200.13 to 10.255.200.12:


    >tracert -d 10.255.200.12

    Tracing route to 10.255.200.12 over a maximum of 30 hops

      1    <1 ms    <1 ms    <1 ms  10.255.200.12

    Trace complete.

     

    Ping from 10.255.200.13 to 10.255.200.10

    >ping 10.255.200.10

    Pinging 10.255.200.10 with 32 bytes of data:
    Reply from 10.255.200.10: bytes=32 time<1ms TTL=64
    Reply from 10.255.200.10: bytes=32 time<1ms TTL=64

    Ping statistics for 10.255.200.10:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 0ms, Average = 0ms

    Traceroute 10.255.200.13 to 10.255.200.10
    >tracert -d 10.255.200.10

    Tracing route to 10.255.200.10 over a maximum of 30 hops

      1    <1 ms    <1 ms    <1 ms  10.255.200.10

    Trace complete.

    Atm both servers have 2 interfaces:

    Server 1 - 10.255.197.108 (VLAN100) and 10.255.200.12 (VLAN101)

    Server 2 - 10.255.197.109 (VLAN100) and 10.255.200.13 (VLAN101)

    And i dont realy need trafic between 10.255.197.108 and 10.255.200.13.

    Traffick goes wrong direction inside UTM itself, and i cant understand why...

  • 0 in reply to AndrewSmith33

    You don't have any "forgotten about" static routes?

    Try to ping from server 10.255.200.12 to 10.255.197.109 and/or vice-versa and also do a traceroute for this. The traceroutes you did now stayed in the same subnet and will never be delivered to a default gateway. What we are trying to determine is where (and why) things go wrong and how traffic gets routed the way it does.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Servers not use any routes, except default route.

    The table of routes from UTM, I have already shown.

     

    Ping from Server 1 to server 2

    >ping 10.255.197.109

    Pinging 10.255.197.109 with 32 bytes of data:
    Reply from 10.255.197.109: bytes=32 time<1ms TTL=128
    Reply from 10.255.197.109: bytes=32 time<1ms TTL=128

    Ping statistics for 10.255.197.109:
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 0ms, Average = 0ms
    Control-C
    ^C
    >tracert -d 10.255.197.109

    Tracing route to 10.255.197.109 over a maximum of 30 hops

      1    <1 ms    <1 ms    <1 ms  10.255.197.109

    Trace complete.

     

    Ping from Server 1 with -S 10.255.200.12  to Server 2

    >ping 10.255.197.109 -S 10.255.200.12

    Pinging 10.255.197.109 from 10.255.200.12 with 32 bytes of data:
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.

    Ping statistics for 10.255.197.109:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

    Seems like, traceroute on Windows cant use -S with ipv4

  • 0 in reply to AndrewSmith33

    Getting hard to further diagnose this, but I suppose you have all your default gateways set correct? All devices have the respective UTM IP-address configured as default gateway?

    I kinda suspect your 10.255.0.0/16 to add routing issues since the router (10.255.200.9) falls in the 10.255.200.8/29 network I suspect you also have a route like: 10.255.0.0/16 => 10.255.200.9.

    But like said before 10.255.0.0/16 overlaps both 10.255.200.8/29 and 10.255.197.0/24.

    If you have any possibility (small timeframe) where you could either disable the route to/from 10.255.0.0/16 or rename 10.255.0.0/16 to something that doesn't overlap with the other subnets you could confirm or rule out whether or not this is the culprit.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML