This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG 310(firmware 9.355-1) between a cisco switch 2960(vlan801) and cisco router 2911 (2911 connected to 2960 on WAN connection). No internet - nothing works

SG 310(firmware 9.355-1) appliance when installed between a cisco 2960(vlan801) and cisco router 2911 Default gateway (2911 connected to 2960 on WAN connection). SG310 blocks the internet and cannot even ping the DG which is cisco 2911.  
Here is the net config:  My subnet is 10.10.11.0/24 cisco 2960 (vlan 801) is connected to router cisco 2911 connected via internet WAN connection, everything works great.  The moment SG 310 (in a bridge) is introduced between the switch 2960 and the router 2911 it blocks all protocols, internally i can see the flowing firewall logs and mostly it is blocking external traffic, drop packets TCP etc.  Eth1 WAN port on SG310 is connected to the internet connection (WAN from the internet to  my router 2911), and Eth0 LAN port on SG310 goes into my cisco switch 2960.  This does not work.  Sophos techs have checked all the internal config on the SG310 like firewall etc and cannot detect any running logs as the connection drops the mement SG310 is introduced.  Need help

Cisco 2960     ............................> >>>>  LAN   SG310 UTM    WAN port<<<<<.........Cloud + ISP....................>>>>>Router Cisco 2911

Vlan 801                                                             STOPS ALL TRAFFIC                                                                                                                                                                                              All routing here at 2911

subnet 10.10.11.0/24



This thread was automatically locked due to age.
Parents
  • Hi, and welcome to the UTM Community!

    Agreed with Dlabun.  Then again, to which "Sophos techs" are you referring?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, and welcome to the UTM Community!

    Agreed with Dlabun.  Then again, to which "Sophos techs" are you referring?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • BALfson;

    I am referring to Sophos UTM support: https://doc.sophos.com/support/help/en-us/contact/index.html 

    I have been working with Sophos UTM for a long time now.  As at our one location 1 we have no issues with SG 310. 
    This brand new install at location 2 is causing issues.
  • Did Sophos have actual remote access to your box or did they just check the configuration over the phone?

  • Firstly, how are your ports configured on your Cisco's? Are they in trunk or access mode?

    Might be wrong, but I suspect they are in trunk mode which will allow traffic between them but putting something in between with the incorrect configuration will block the traffic. If the Cisco's are set to trunk mode & 802.1q, the UTM needs set accordingly with appropriate vlans.

    If they are in access mode, then a straight forward ethernet connection will work.

    In the UTM, are the ports showing as up and is there any traffic flowing (on the dashboard?)
    They can show as up but the tell tale sign is "0" in the traffic meter on the dashboard

    In the UTM, under tools, you should be able to ping the Cisco's. If not, you have a config error on the ports.

    If you can ping etc, you have connectivity and now you're getting down to routing and firewall issues.
    But first things first, check the ports and config on the Cisco's to see how they are connected. I had this very issue this week but am so use to it with Cisco's, it's second nature to me.

  • Louis,
    You are getting there. 
    So on my Cisco switch 2960 the port connecting to the router is 48:

    interface GigabitEthernet0/48
     description source port
     switchport access vlan 801
     speed 1000
     duplex full
     no cdp enable
    !

    Also I checked my notes all vlans are accepted on the switch.

    show vlans: shows all vlans (1, 92, 425,1002, 1003, 1005 etc and 801) active while all ports working under 801
    Also I checked on the switch

    ***************************************************************************************
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    1    default                          active    Gi0/49, Gi0/50
    92   VLAN0092                         active
    420  VLAN0420                         active
    425  VLAN0425                         active
    801  VLAN0801                         active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                    Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                    Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                    Gi0/13, Gi0/14, Gi0/15, Gi0/16
                                                    Gi0/17, Gi0/18, Gi0/19, Gi0/20
                                                    Gi0/21, Gi0/22, Gi0/23, Gi0/24
                                                    Gi0/25, Gi0/26, Gi0/27, Gi0/28
                                                    Gi0/29, Gi0/30, Gi0/31, Gi0/32
                                                    Gi0/33, Gi0/34, Gi0/35, Gi0/36
                                                    Gi0/37, Gi0/38, Gi0/39, Gi0/40
                                                    Gi0/41, Gi0/42, Gi0/43, Gi0/44
                                                    Gi0/45, Gi0/46
    1002 fddi-default                     act/unsup
    1003 token-ring-default               act/unsup
    1004 fddinet-default                  act/unsup
    1005 trnet-default                    act/unsup
     --More--

    *********************************************************************************************


    On my router cisco 2911:
    show vlans:  shows

    ****************************************************

    Virtual LAN ID:  801 (IEEE 802.1Q Encapsulation)  
    vLAN Trunk Interface:   GigabitEthernet0/1.801

       Protocols Configured:   Address:              Received:        Transmitted:
               IP              10.10.11.254         490489943           830098312
            Other                                           0             8656227

       490764661 packets, 121537268411 bytes input
       838754539 packets, 962388065417 bytes output

    Virtual LAN ID:  420 (IEEE 802.1Q Encapsulation)

       vLAN Trunk Interface:   GigabitEthernet0/1.420

       Protocols Configured:   Address:              Received:        Transmitted:
               IP              x.x.x.x(externalIP)       1997976881          2003216681
            Other                                           0                5459

       1997976881 packets, 1597877139735 bytes input
       2003222140 packets, 1917789082769 bytes output


    *********************************************************************************
    NOTE:  I have already tried creating all vlans as 801, 1, 92, 425 etc on the UTM and connecting them to the bridge br0 comprising of eth0 and eth1 and I connect WAN to eth1 and Lan port 48 on Cisci to eth0 on UTM, still no internet.  You are right about the config on the UTM.  Do I need to remove my switch from 'switch port access vlan 801'? or the whole switch out of vlan 801 after I put all vlans on the UTM?
    On the UTM after I put it in between the router and the switch I can see only OUT traffic moving slowly, and some traffic on other vlans but NO IN traffic.  In such a state I cannot ping out (8.8.8.8) or to cisco router (10.10.11.254).

    What am I missing here?  Need help please

  • Dlabun,

    Sophos had remote + phone past 4 days almost 3-4 hrs per day.  The fall point is its the only internet we have and the moment I connect UTM internet goes down.  So they ask me to get them a secondary internet (from where?) so I borrowed someone's phone and gave them internet, after an hour they said its too slow.  To me they had enough time to gather logs and they did and found nothing (they say).

  • It's really hard to understand what you are trying to accomplish here. Are you trying to replace the Cisco 2911 with the UTM? Does your ISP require the use of the Cisco 2911 or can you connect your internet service directly into the UTM for testing purposes?

  • I've never done a bridge with the UTM but from what I understand of your post, it looks as though you need to change the port on the switch to trunk mode:

    no switchport mode access
    no switchport access vlan 801 
    switchport mode trunk
    switchport trunk allowed vlan 801,425    <<<< this is optional to restrict what vlans are allowed on the trunk interface. I'd apply this after its up and running

    UTM: The UTM will have to have ethernet vlan on both interfaces (In & out) with the relevant vlans (801 & 425).
    ROUTER: The router doesn't need touched

    The post is slightly confusing but I think you are trying:

    CISCO 2911 > g0/1.801 >> WAN of UTM >> LAN OF UTM >> 2960 g0/48

    If the above is correct, as a minimum, the WAN of the UTM has to have an 802.1q (vlan interface) to talk to the router. A normal ethernet interface won't work here.

    As a start, try putting the WAN of the UTM into Ethernet vlan with v801 and then ping the router from the support tools on the UTM
    Concentrate on the one side first and make sure you have full connectivity befor moving onto the next interface.

  • Louis

    You are 100% correct in what I am trying to achieve here. (simply want UTM in between the router 2911 and the switch 2960). 

    Please look at the Cisco 2960 port already in trunk and all VLANS are allowed to connect to my router Cisco 2911.  Also please look at the UTM pic all the Vlans (1, 92, 425 801 etc etc)  are setup on br0 bridge.  Once I put the WAN from Cisco 2911 to the WAN on UTM and the LAN from UTM to the CIsco switch 2960 port 48 at this stage (here I need to remove all the Vlans, all the trunks from the switch to make it just the switch as now the UTM will be connected to my router 2911 with all the VLans?

    This is the only setup I did not try where I get a simple switch with no vlans and trunk and try connecting UTM to it. 

    As you are suggesting trying one port (side) at a time,

    1) If I only connect LAN to my switch 2960 on any port other than 48, UTM can happily ping my router (10.10.11.254), also can ping 8.8.8.8, also can ping my servers.

    2)If I only connect WAN from UTM to my switch 2960 on any port, I lose the connectivity on the UTM, have to use management port on UTM,  cannot ping anywhere.

  • Dlabun,

    I am not trying to replace any device.  Just want to make this UTM SG310 to work in between the router 2911 and the switch 2960.  At this site where I am installing the UTM does require to be connected to the router 2911 to get the internet(all routing is done by cisco 2911 at the other location). 

  • Can you confirm:

    OTHER NETWORK eg internet  >>> WAN 2911 >>> LAN 2911 >>> WAN UTM >>> LAN UTM >>> 2960?

    Normally a WAN never goes to another WAN but you have specified the WAN of the Cisco 2911 to the WAN of the UTM

    Maybe somebody on here can offer advice on the bridging side of the UTM as I've never done one.

    But in your setup:

    Cisco Router:
    this looks fine and you can leave alone as it is 802.1q.
    What is the WAN port on this? You've only shown interface g0/1 details which we assume to be the LAN. Can you show the config for the interfaces?
    I don't believe the issue is here but just need to clarify what is your lan and wan as your post isn't clear.

    UTM:
    The WAN (br0) should be set as a ethernet vlan.
    The LAN (br1) should also be set as ethernet vlan

    Cisco 2960:
    Port 48 should be set to trunk

    The above should work. I'm not sure about the UTM in bridge mode as I've never done it but I know about the Cisco's and the UTM as a router.
    Is the UTM firewall logs showing traffic?