SD-RED 60 (WLAN) und APX-320 - Wireless & Routing/Routen problem (2 Probleme)

hier noch die RED-Konfig

die war ich Euch noch schuldig ;-)

Hallo,

(Sorry, my German-speaking brain isn't creating thoughts at the moment. )

You're right, that all looks like it should work all the time.  Are you seeing any related blocks in the firewall log?  1.2.3.4? Ports 3400 or 3410?  What about the wireless log?

MfG - Bob (Bitte auf Deutsch weiterhin.)

Hi Bob,

I partially solved this problem till like 3am in the morning (tested 4 different RED-Devices on 3 different UTM-Firewalls)

Thanks for tip: I've checked the firewall log for anything. I didn't find any blocked Packets in the traces :-(

There are 5 more RED-Devices connected to this firewall. I even moved/provisioned this particular RED-Device to/at another UTM and compared the different behavior. Still no change in any tried option.

FUN-Fact - I found out how to make the internal WiFi-Access-Point usable:

One thing i found out about those new RED-Devices (in comparisson to other RED-Devices (I have a RED15, RED15w and a RED50 for testing here).

- You can use the internal AP by having an Ethernet-Interface (no VLAN) on the redsXX-Interface enabled
  (with internal DHCP and AP-registration allowed)
  Than the AP is appearing and you can provision it as usual

My Workaround for the customer now is very crude, but the RED-Device has to ship today :-(

1. I have an Ethernet-Interface (untagged) on the reds5 Interface in UTM (NOT on the RED-Config itself - just for the internal AP)
2. I have 3 VLAN-Interfaces (tagged) on the reds5-Interface in UTM (also in the RED-Provisioning-Config)
3. I use a Aruba-Switch to make use of those VLANs (on a single Uplink interface)
4. the external APX-320 runs now connected to one port of the aruba switch (DHCP & Registration allowed on VLAN-Interface)
5. After a reconnect i manually disable the VLAN-Interfaces and reactivate those to create the connected-routes on the reds5-Interface

Still one problem remains with me:

==> UTM does not create "connected"-routes for the RED-Device after a reconnect is happening

==> Hell: I even created static routes for those VLAN-Interfaces on the RED-Device, but it does not help as those do not start to work when the RED-Device reconnects :-(

I even tried using all Interfaces as VLANs in SD-RED-Switch-Mode (not VLAN-Mode) like you could do on a RED10 oder RED15(w) Device, but than NO packet runs on the RED-Tunnel to the SD-RED! There seems to be something like a VLAN-TAG-Filter...

- Is this now a software-bug in the red-devices or a problem with the UTM-Firmware (being incompatible with the SD-RED-Devices)?
- Is this happening on SD-RED 20 Devices as well?

I hope someone can clear some things for me up.
BTW: Sophos Case is opened (03****88) by use of the new Support-Portal, but noone has contacted me about that for more than 2 days. (not even a first contact, only the email .... thank you for contacting sophos bla bla bla ...) Case is on the 3rd day now.

Immer noch nichts von Sophos gehört?

MfG - Bob

Doch, vor ca. 2 Stunden sind "die" aufgewacht.

Habe dem Support geantwortet, dass ich morgen früh ab 8:00 im Büro bin und man mich anrufen soll.
Ich warte und bin bereit ;-)

Hi Bob,

I havent heard anything from Sophos Support in 6 Days now. So i called in in Germany. They directly redirect you to global support in india. 

I sent them a list of things that i already tried.

1. attempt: I was kicked out the line
2. attempt: I was able to pinch that guy to look himself at the customers firewall (Did you know they use now 123remote.com now for remote sessions?)

That Session now took arount 1 hour and the only thing was that i had to show everything i did.

At the end they didn't know what i did in the beginning of the session :-(

weirdest Thing now is:
I now know why i heard nothing from them. I initially created a support-token (for 7 days - just in case) and submitted the access-Code with the initial case. That token has expired 5 days ago so they decided to do nothing!?!?!?!?
(maybe write a Mail, please recreate the token so we/sophos can analyze...???)

Sophos is really turning to madness in the last months. I actually forwarded the whole case to our Sales-Department. I received the stranges answer. >> We alreade heard from other guys/technitians. We (our company) plant to move to fortinet...

Sad... Sophos.... Very sad....

Since my 1 hour call today at around 9:30 am the support token of the customers firewall wasn't used at any time.
I exported the whole log, just to check again (couldn't believe it)

So no person at sophos did take a look at the customers problem.

What is wrong with sophos?
This is really killing my weekend.

Today i reactivated an old RED50 (was bricked - so i re-flashed it)
Tested the whole construct here in my home office (connected to the customers firewall over the internet)

IT FREAKIN WORKS!!!!

This is messed up coding of the new SD-RED-Firmware!
I can't believe it. This Problem is killing me.

PLZ Sophos fix that immediately.
It can't be the solution to use old hardware and software to make VLANs work... WHY

Greetings, Franz

So Guys, my Problem still isn't solved. (11 weeks in the case with sophos)

I had now AFTER 10 WEEKS waiting my Remote-Session. (only through help by sophos sales team!!!)
"They" (Sophos Support - India) wanted me to activate 4 untagged (ethernet) Interfaces on Interface "reds5"

Told them, that is not possible. So i granted access to the webadmin and watched (Popcorn out ).
They didn't believe me that, until the WebAdmin-GUI told them, it's not possible. Than they believed me.

What would be possible is having 4 VLAN-Interfaces on Interface "redsX" and sending them all 4 as untagged (PVID set) over the RED-Switch. But what happens if more VLANs needed...
AND
this does not activate the kernel routes either...

So no solution at all

Still waiting for another "great" idea.

Franz

Have you requested escalation of this case, Franz?  Maybe you can get it moved to the Vancouver Canada office.  They open at 17:00 your time, so you would need to be available in the evening if it's possible to move the case there.

Cheers - Bob

Is there still somebody somewhere else than global support from india.
I only got calls with +1 xxx xxx xxxx numbers. (not +91 xxxx xxx xxxxx)
assumed nobody else left.

The case is twice escalated (once by me, and second by german sales head-office after major fight)

So i'm happy if this is possible.
I will try that shortly. (after the weekend)

Thanks for the heads-up.

Merci - Franz