This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange routing behaviour

Hi,

I have a very strange behaviour with our and one of our customer's UTMs. Historically we have more than one gateway in our LAN (yes... I know, we are working on a better network design). One gateway (.101) is responsible for the VPN connections to our customers (Cisco ASA 5510), the other one (.100, Sophos SG230) is our default gateway and has static routes for the remote networks to be redirected to the ASA.

We have a monitoring system in our LAN, that - amongst other things - checks the UTM Management ports of our customers WAN interfaces. There don't exist any static or dynamic routes for 4444, so the traffic normally goes over our UTM and her VDSL modem and everything is fine. Default gateway of the monitoring system is the .100 and no route entries exist.

 

So, after 2 or 3 weeks the UTM management port is going down for only one customer. If I check his WebAdmin I can see 4444 connections coming from our ASA. Since the checks normally go out over our UTM only that WAN IP address is allowed to connect to the customer's WebAdmin.

If I traceroute the IP from our monitoring system the traffic is leaving our network over the 2nd gateway. If I traceroute the same from our UTM, it leaves the network over the normal VDSL connection.

 

I know, asynchronous routing is a bit... but how can something like this happen? The VPN gateway uses different IPs for NAT (that one hits the customer's UTM when my "problem" happens) and VPN. Our UTM is only routing the remote networks, not the external IPs to the second gateway.



This thread was automatically locked due to age.
Parents
  • Doesn't the routing problem have to be in the ASA 5510, Kevin?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    the ASA shouldn't be involved in the traffic anyway, but it is. Client -> UTM -> Internet -> Other UTM. The more I dive into this it seems to be an issue with our monitoring system.

    If I traceroute the connection from my PC it goes the above way (the SG is involved as 1st hop) - everything fine.
    If I traceroute the same IP from our monitoring system the 1st hop is the outside-router of the ASA. That our ASAs don't appear in traceroutes, is OK, enabled it on the both involved UTMs temporarily...

    I simply don't get it why the monitoring server goes the ASA way. I must confess, I'm no linux expert, but I thought that ifconfig and ip route should give me the same informations on this system then on my UTMs. On the monitoring system I only find a default route pointing to the UTM and on the UTM I find only few public IPs routed to the ASA, and all the private networks that are connected via VPN.

    The external address of the second UTM (or subnet) has no explicit route anywhere.

     

    Edit: I added an explicit route for the address on the monitoring system and now it takes the right way, but what causes that "taking the wrong default gateway" isn't clear to me...

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Reply
  • Hi Bob,

    the ASA shouldn't be involved in the traffic anyway, but it is. Client -> UTM -> Internet -> Other UTM. The more I dive into this it seems to be an issue with our monitoring system.

    If I traceroute the connection from my PC it goes the above way (the SG is involved as 1st hop) - everything fine.
    If I traceroute the same IP from our monitoring system the 1st hop is the outside-router of the ASA. That our ASAs don't appear in traceroutes, is OK, enabled it on the both involved UTMs temporarily...

    I simply don't get it why the monitoring server goes the ASA way. I must confess, I'm no linux expert, but I thought that ifconfig and ip route should give me the same informations on this system then on my UTMs. On the monitoring system I only find a default route pointing to the UTM and on the UTM I find only few public IPs routed to the ASA, and all the private networks that are connected via VPN.

    The external address of the second UTM (or subnet) has no explicit route anywhere.

     

    Edit: I added an explicit route for the address on the monitoring system and now it takes the right way, but what causes that "taking the wrong default gateway" isn't clear to me...

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Children
No Data