Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 39 replies
  • Subscribers 7 subscribers
  • Views 61956 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG 310(firmware 9.355-1) between a cisco switch 2960(vlan801) and cisco router 2911 (2911 connected to 2960 on WAN connection). No internet - nothing works

AdnanManzoor

SG 310(firmware 9.355-1) appliance when installed between a cisco 2960(vlan801) and cisco router 2911 Default gateway (2911 connected to 2960 on WAN connection). SG310 blocks the internet and cannot even ping the DG which is cisco 2911.  
Here is the net config:  My subnet is 10.10.11.0/24 cisco 2960 (vlan 801) is connected to router cisco 2911 connected via internet WAN connection, everything works great.  The moment SG 310 (in a bridge) is introduced between the switch 2960 and the router 2911 it blocks all protocols, internally i can see the flowing firewall logs and mostly it is blocking external traffic, drop packets TCP etc.  Eth1 WAN port on SG310 is connected to the internet connection (WAN from the internet to  my router 2911), and Eth0 LAN port on SG310 goes into my cisco switch 2960.  This does not work.  Sophos techs have checked all the internal config on the SG310 like firewall etc and cannot detect any running logs as the connection drops the mement SG310 is introduced.  Need help

Cisco 2960     ............................> >>>>  LAN   SG310 UTM    WAN port<<<<<.........Cloud + ISP....................>>>>>Router Cisco 2911

Vlan 801                                                             STOPS ALL TRAFFIC                                                                                                                                                                                              All routing here at 2911

subnet 10.10.11.0/24



This thread was automatically locked due to age.
Parents
  • 0

    Hi, and welcome to the UTM Community!

    Agreed with Dlabun.  Then again, to which "Sophos techs" are you referring?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BALfson;

    I am referring to Sophos UTM support: https://doc.sophos.com/support/help/en-us/contact/index.html 

    I have been working with Sophos UTM for a long time now.  As at our one location 1 we have no issues with SG 310. 
    This brand new install at location 2 is causing issues.
  • 0 in reply to AdnanManzoor

    Did Sophos have actual remote access to your box or did they just check the configuration over the phone?

  • 0 in reply to Dlabun

    Firstly, how are your ports configured on your Cisco's? Are they in trunk or access mode?

    Might be wrong, but I suspect they are in trunk mode which will allow traffic between them but putting something in between with the incorrect configuration will block the traffic. If the Cisco's are set to trunk mode & 802.1q, the UTM needs set accordingly with appropriate vlans.

    If they are in access mode, then a straight forward ethernet connection will work.

    In the UTM, are the ports showing as up and is there any traffic flowing (on the dashboard?)
    They can show as up but the tell tale sign is "0" in the traffic meter on the dashboard

    In the UTM, under tools, you should be able to ping the Cisco's. If not, you have a config error on the ports.

    If you can ping etc, you have connectivity and now you're getting down to routing and firewall issues.
    But first things first, check the ports and config on the Cisco's to see how they are connected. I had this very issue this week but am so use to it with Cisco's, it's second nature to me.

  • 0 in reply to Louis-M

    Louis,
    You are getting there. 
    So on my Cisco switch 2960 the port connecting to the router is 48:

    interface GigabitEthernet0/48
     description source port
     switchport access vlan 801
     speed 1000
     duplex full
     no cdp enable
    !

    Also I checked my notes all vlans are accepted on the switch.

    show vlans: shows all vlans (1, 92, 425,1002, 1003, 1005 etc and 801) active while all ports working under 801
    Also I checked on the switch

    ***************************************************************************************
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    1    default                          active    Gi0/49, Gi0/50
    92   VLAN0092                         active
    420  VLAN0420                         active
    425  VLAN0425                         active
    801  VLAN0801                         active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                    Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                    Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                    Gi0/13, Gi0/14, Gi0/15, Gi0/16
                                                    Gi0/17, Gi0/18, Gi0/19, Gi0/20
                                                    Gi0/21, Gi0/22, Gi0/23, Gi0/24
                                                    Gi0/25, Gi0/26, Gi0/27, Gi0/28
                                                    Gi0/29, Gi0/30, Gi0/31, Gi0/32
                                                    Gi0/33, Gi0/34, Gi0/35, Gi0/36
                                                    Gi0/37, Gi0/38, Gi0/39, Gi0/40
                                                    Gi0/41, Gi0/42, Gi0/43, Gi0/44
                                                    Gi0/45, Gi0/46
    1002 fddi-default                     act/unsup
    1003 token-ring-default               act/unsup
    1004 fddinet-default                  act/unsup
    1005 trnet-default                    act/unsup
     --More--

    *********************************************************************************************


    On my router cisco 2911:
    show vlans:  shows

    ****************************************************

    Virtual LAN ID:  801 (IEEE 802.1Q Encapsulation)  
    vLAN Trunk Interface:   GigabitEthernet0/1.801

       Protocols Configured:   Address:              Received:        Transmitted:
               IP              10.10.11.254         490489943           830098312
            Other                                           0             8656227

       490764661 packets, 121537268411 bytes input
       838754539 packets, 962388065417 bytes output

    Virtual LAN ID:  420 (IEEE 802.1Q Encapsulation)

       vLAN Trunk Interface:   GigabitEthernet0/1.420

       Protocols Configured:   Address:              Received:        Transmitted:
               IP              x.x.x.x(externalIP)       1997976881          2003216681
            Other                                           0                5459

       1997976881 packets, 1597877139735 bytes input
       2003222140 packets, 1917789082769 bytes output


    *********************************************************************************
    NOTE:  I have already tried creating all vlans as 801, 1, 92, 425 etc on the UTM and connecting them to the bridge br0 comprising of eth0 and eth1 and I connect WAN to eth1 and Lan port 48 on Cisci to eth0 on UTM, still no internet.  You are right about the config on the UTM.  Do I need to remove my switch from 'switch port access vlan 801'? or the whole switch out of vlan 801 after I put all vlans on the UTM?
    On the UTM after I put it in between the router and the switch I can see only OUT traffic moving slowly, and some traffic on other vlans but NO IN traffic.  In such a state I cannot ping out (8.8.8.8) or to cisco router (10.10.11.254).

    What am I missing here?  Need help please

Reply
  • 0 in reply to Louis-M

    Louis,
    You are getting there. 
    So on my Cisco switch 2960 the port connecting to the router is 48:

    interface GigabitEthernet0/48
     description source port
     switchport access vlan 801
     speed 1000
     duplex full
     no cdp enable
    !

    Also I checked my notes all vlans are accepted on the switch.

    show vlans: shows all vlans (1, 92, 425,1002, 1003, 1005 etc and 801) active while all ports working under 801
    Also I checked on the switch

    ***************************************************************************************
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    1    default                          active    Gi0/49, Gi0/50
    92   VLAN0092                         active
    420  VLAN0420                         active
    425  VLAN0425                         active
    801  VLAN0801                         active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                    Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                    Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                    Gi0/13, Gi0/14, Gi0/15, Gi0/16
                                                    Gi0/17, Gi0/18, Gi0/19, Gi0/20
                                                    Gi0/21, Gi0/22, Gi0/23, Gi0/24
                                                    Gi0/25, Gi0/26, Gi0/27, Gi0/28
                                                    Gi0/29, Gi0/30, Gi0/31, Gi0/32
                                                    Gi0/33, Gi0/34, Gi0/35, Gi0/36
                                                    Gi0/37, Gi0/38, Gi0/39, Gi0/40
                                                    Gi0/41, Gi0/42, Gi0/43, Gi0/44
                                                    Gi0/45, Gi0/46
    1002 fddi-default                     act/unsup
    1003 token-ring-default               act/unsup
    1004 fddinet-default                  act/unsup
    1005 trnet-default                    act/unsup
     --More--

    *********************************************************************************************


    On my router cisco 2911:
    show vlans:  shows

    ****************************************************

    Virtual LAN ID:  801 (IEEE 802.1Q Encapsulation)  
    vLAN Trunk Interface:   GigabitEthernet0/1.801

       Protocols Configured:   Address:              Received:        Transmitted:
               IP              10.10.11.254         490489943           830098312
            Other                                           0             8656227

       490764661 packets, 121537268411 bytes input
       838754539 packets, 962388065417 bytes output

    Virtual LAN ID:  420 (IEEE 802.1Q Encapsulation)

       vLAN Trunk Interface:   GigabitEthernet0/1.420

       Protocols Configured:   Address:              Received:        Transmitted:
               IP              x.x.x.x(externalIP)       1997976881          2003216681
            Other                                           0                5459

       1997976881 packets, 1597877139735 bytes input
       2003222140 packets, 1917789082769 bytes output


    *********************************************************************************
    NOTE:  I have already tried creating all vlans as 801, 1, 92, 425 etc on the UTM and connecting them to the bridge br0 comprising of eth0 and eth1 and I connect WAN to eth1 and Lan port 48 on Cisci to eth0 on UTM, still no internet.  You are right about the config on the UTM.  Do I need to remove my switch from 'switch port access vlan 801'? or the whole switch out of vlan 801 after I put all vlans on the UTM?
    On the UTM after I put it in between the router and the switch I can see only OUT traffic moving slowly, and some traffic on other vlans but NO IN traffic.  In such a state I cannot ping out (8.8.8.8) or to cisco router (10.10.11.254).

    What am I missing here?  Need help please

Children
No Data
Unfiltered HTML