SG 310(firmware 9.355-1) between a cisco switch 2960(vlan801) and cisco router 2911 (2911 connected to 2960 on WAN connection). No internet - nothing works

Hi, and welcome to the UTM Community!

Agreed with Dlabun.  Then again, to which "Sophos techs" are you referring?

Cheers - Bob

BALfson;

I am referring to Sophos UTM support: https://doc.sophos.com/support/help/en-us/contact/index.html 

Gentlemen,

Louise:

-Correct, the moment UTM is introduced nothing works.

-There exist Cisco 2960 switch which is trunk to Cisco 2911, nothing is replaced.

As a note I am also sharing the message from my ISP:

***************************************************************************************8

Louis I got a different message on my email where you mention not to use the bridge on UTM? and start NAT function on the UTM? if that is correct I can remove the bridge and use WAN and LAN as separate ports with NAT enabled?

************************************************************************************************************************************************************************

If you're using a TLS circuit there may be no need for a second UTM as you essential have a really long private ethernet cable running between your two locations. A UTM at both locations would be an ideal solution if you didn't have a TLS connection. I deal with TLS and microwave circuits running from Canada into Vermont... We have don't use UTMs at the satellite locations as they don't have a real internet connection, just the TLS line back to the home office where our internet service is.

You really need to have a conversation with Cogeco and your Sophos reseller on the right way to line up all of this equipment. The second UTM may very well be unnecessary unless you're trying to provide a way to switch to a backup internet connection should the TLS circuit go down.

Dlabun,

Now that will be too much work for ISP to change their existing layout and charge us more money.

There are many reasons for which this internet line was used between two locations. 

1) to keep one routing device.

2) To keep 2 physical locations in AD as separate sites.  For ease of manageability for users/hardware etc

3)Not to load each other subnet with loads of traffic

3)Though our locations are different but similar in many many ways.

In fact this type of connection exist between our locations for more than 20 years. I will contact my re-seller and find out what can be done to get the internet via UTM.

Thanks guys I really appreciate your time in this.

Hi Adman,

Dlabun is right. Now we know more about your setup, it is indeed a private circuit and the UTM may not be necessary. That said, it sounds as though you want to change the topology of the network and break it further down into different subnets?

If that is the case, I would place a UTM or router on the right hand side and then use a different subnet to break up the network/collision domain. This would then mean that all traffic after the UTM or router would be on an entirely different subnet and would need configuring as such.

The appropriate routing would also have to entered on the Cisco on the left hand side also?

Is this what you want? Both sides can still belong to the same domain in AD but they would be in totally different subnets?

Please ignore my previous post about natting etc (unless you want the above) as I wasn't sure of your setup and it's becoming more clearer as we speak.

Hi Dlabun,

Both of our physical sites have already different subnets, no issue there. 

******************

If that is the case, I would place a UTM or router on the right hand side and then use a different subnet to break up the network/collision domain. This would then mean that all traffic after the UTM or router would be on an entirely different subnet and would need configuring as such.

*********************************

that's I am trying to do putting in the UTM on the right hand side.  I guess here the UTM has to act as my switch 2960 (how to convert UTM into a switch like cisco 2960 I do not know?), its already an entirely different subnet so UTM should not have any trouble. 

**************************

Is this what you want? Both sides can still belong to the same domain in AD but they would be in totally different subnets?

*********************************************************************************8

Both sides are in the same domain and have totally different subnets.  Right side is 10.10.11.0/24  and left 10.10.10.0/24, routing is done by Cisco 2911 for both subnets.

Gentlemen,

This might help you.  Back in 2011/2012 I was testing Astaro 220 appliance on the same site with subnet 10.10.11.0/24 (right hand side) and I could vaguely remember using the port monitoring on my switch cisco 2960 and things worked great at that time.  Since that was a test unit I had to send Astaro back as it was loaned to me for testing.  I cannot even find the backup file otherwise I could restore the same backup.

If the above setup does not work, can SG 310 be simply setup to see the traffic via port monitoring/mirroring through switch?

I'm still not sure whether is would work out as being a bridge.

I think in the above case, I would put the UTM in with a WAN address of 10.10.11.1/24 and then an entirely different subnet behind that eg 10.1.1.0/24 or 172.16.x.x/24 etc

The above would work as the UTM would have a WAN address of say 10.10.11.1/24 and the Cisco 2911 would know how to get to that. Obviously, if you put another subnet on the LAN of the UTM, say 172.16.1.0/24, you would have to put the static route into the 2911 ie route 172.16.1.0 255.255.255.0 10.10.11.1

That will work as but you have to have WAN connectivity first and that's if you want to go this way

Thanks Louis,

Tomorrow I am scheduled with the Sophos escalations team on UTM.  I will keep you posted on the results.

Thanks

As long and complex as this thread had become, I hesitated to do anything other than scan it.  A quick glance showed that VLAN 1 is in use.  VLAN 1 is reserved for Wireless Protection in the UTM.  Does changing that VLAN setting make any difference?

Cheers - Bob

Bob,

Our UTM has no licenses for Wireless.  If that still in effect I will try disabling on the UTM.  Escalations team found one interesting thing.  They say my layer 2 switch 2960 is not responding to ARP request.  So I checked my router 2911 and there was the ARP entry.  Do not know why they want a layer 2 switch to respond on an ARP request.  So I took another switch and it did the same thing 'no reply to ARP'  What does this prove? 

Under the whole above scenario the WAN works fine and I am able to ping 8.8.8.8 and my DG i.e my cisco router 2911.

The other frustrating thing about this UTM is if I remove  DG from the bridge and put the DG on say VLAN801, the UTM freezes and loses connectivity to the switch.  May be escalations kept on checking while the switch had no connectivity to the UTM.  In such a case the UTM has to be factory default and restored into a new backup.  I will check it tomorrow.

Also I am destined to check this set up using a layer 3 switch and see if that makes the UTM happy. 

Thanks

Bob,

Our UTM has no licenses for Wireless.  If that still in effect I will try disabling on the UTM.  Escalations team found one interesting thing.  They say my layer 2 switch 2960 is not responding to ARP request.  So I checked my router 2911 and there was the ARP entry.  Do not know why they want a layer 2 switch to respond on an ARP request.  So I took another switch and it did the same thing 'no reply to ARP'  What does this prove? 

Under the whole above scenario the WAN works fine and I am able to ping 8.8.8.8 and my DG i.e my cisco router 2911.

The other frustrating thing about this UTM is if I remove  DG from the bridge and put the DG on say VLAN801, the UTM freezes and loses connectivity to the switch.  May be escalations kept on checking while the switch had no connectivity to the UTM.  In such a case the UTM has to be factory default and restored into a new backup.  I will check it tomorrow.

Also I am destined to check this set up using a layer 3 switch and see if that makes the UTM happy. 

Thanks

Adman, I don't doubt that you're a very knowledgeable guy, but the UTM is a bit of a different beast.  WebAdmin is used to maintain databases of settings and objects.  The config daemon consults these and then writes the 1000s of lines of code that actually perform the functions.  As a result, a single change in WebAdmin might result in 100s of new/changed lines of code.

Does disabling Wireless Protection allow the use of VLAN 1?  Maybe. Probably mostly.  You still should change to a different VLAN just as a way of eliminating the possibility that this is at the root of your unusual problem.

Cheers - Bob

I think you have to start from scratch here. The 2960 obviously has an ip address on vlan ? If you plug that into the UTM, can it be pinged?

I've got 6 2960's plugged into 2 UTM's and they work. The ports on the switches are set to trunk mode.

Bob,

Thanks

Not sure how to disable the wireless protection when I do not have to license for it.  Do I need to go into the shell and do it? what is the command for that?

Well this whole site works under vlan 801, if I switch Vlans then the switch 2960 loses connection to my cisco router 2911.

Any other suggestion? is welcome.

Louis-M,

This is funny believe me I have started many times from the scratch. 

2960 has the IP on vlan 801 which is 10.10.11.252.  The switch only pings the UTM if the bridge br0 has any IP, so I assign an IP on the bridge 10.10.11.4 to make the switch 2960 ping this UTM at 10.10.11.4.  Then I assign on the UTM the IP to the Vlan 801 as 10.10.11.5.  Then I put the wan into the UTM and the LAN to my switch............No internet. 

If I remove the IP from the bridge and make it 0.0.0.0./0. then there is no more pinging from the switch to the UTM.  Though it should ping the VLan 801 ip 10.10.11.5, but no luck.

Well here is my config from port 48 which is in trunk on the switch:

Bur_Camp_Cisco2960#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/48      auto             802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/48      1-4094

Port        Vlans allowed and active in management domain
Gi0/48      1,92,420,425,801

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/48      1,92,420,425,801

I will try one more time, but I am sure I have already tested this connection as well.

I have checked with a BRAND NEW CISCO switch catalyst 2940 and UTM did the same thing 'NO internet' .  Either some routing path need to be set on UTM or UTM itself has some hardware/protocol adjustment.  Not sure.

I am going to try now with a layer 3 switch.  Just in the process of getting one as these switches cost a fortune.  We have already spend a fortune buying this UTM at around $10K and now to make it happy need to topple the whole network infrastructure by buying more devices......Funny.

How precious are you about the lan subnet on the right hand side?

Just as a test, set the UTM up without bridging so the 801 vlan becomes the WAN of the UTM. Have a totally different LAN subnet and use natting etc ie bog standard setup for the UTM. Test a ping from the UTM WAN to the Cisco from there to see if that works. The test from the LAN to see if you can reach the Cisco 2911.

I have:

LAN >>> 2x 3750 >>> 2x UTM SG310 >>> 2x 2960s >>> Internet so they do work. I can only think it's something to do with the bridging on the UTM as I've never set this up.

But where 802.1q vlan's are involved on the UTM, the interfaces must be configure with ethernet vlan type (not just ethernet) and the Cisco's must have trunk set on the interfaces that connect to the UTM.

If you are just using ethernet on the UTM, then it is sufficient to have switchport mode access on the Cisco's.

Ok here is I can try:

- On my UTM I will assign Ethernet Vlan 801 to eth1 WAN port, assign it IP 10.10.11.4 (not sure to assign Proxy ARP or enable spanning tree protocol?) connect it to internet cable coming from my router cisco 2911.

-On my UTM I will assign Ethernet Vlan 801 to eth 0 LAN port, assign it IP 192.168.0.5 (not sure to assign Proxy ARP or enable spanning tree protocol?), connect it to port 48 on my Cisco 2960 which is in trunk and allowing all Vlans.  Here I have to also allow 192.168.0.0/24 to my DHCP scope.  I am sure I have to change the IP of vlan 801 on my cisco 2960?.  This is you want me to check?

Thanks

Yes give that a shot. Make a different vlan for the LAN side eg vlan 899 or something and then find a free port on the 2960s and do a switchport mode access and switchport access vlan 899. Plug a laptop a laptop/pc into that and if alls well, you should get an ip from the dhcp server you have configured for that vlan 899 ie a LAN ip address eg 192.168.0.100/24

You can configure this yourself or do a reset and I think the UTM might go through a wizard

So:

UTM:

WAN = vlan 801 (select vlan ethernet type). Don't forget gateway here which is your Cisco 2911 ip
LAN = vlan 899 (select vlan ethernet type)   >>> leave in port 48 2960s. You will need to configure DHCP, firewall rules to let traffic through etc

2960:

leave UTM connected to port 48. create another vlan 899 and another port with that vlan assigned in access mode to vlan 899

- Ran default setup with WAN under VLAN 801 10.10.11.5/24  ............no luck, LAN 10.10.12.0/24 No luck on internet.  Tried putting LAN as well under 801, still no luck  Made a management interface, From tools I was able to ping my cisco router, and outside 8.8.8.8
but not internally to any of my Domain controllers.  So no internet.

-Kept on checking the firewall logs and it simply DROPs TCP, ICMP, SMTP etc.

I give up on this UTM. 

Also now I have no assurance that it will work once I have a layer 3 switch.

Ok, we have a start.

You have a successful WAN as you can ping the Cisco router.

You now need to concentrate on the LAN side. If you configured the LAN as we mentioned above, can you get a ping from the laptop or pc connected to the vlan that the LAN is on? Once we've confirmed that, we can start on the next step ie routing, nat & firewall rules.

Louis,

You seem like a warrior, not giving up on this as yet?

The same behavior this UTM offered under the bridge, WAN connection exist but no connection between the UTM and the Cisco 2960 switch.

 In any case I was driving myself too deep into it, and changed something.  I guess I have to start all over again.  One thing I observed on the LAN connection, unless the LAN has an IP from the same subnet under which the switch operates (10.10.11.0/24) UTM loses connection and also if the simple Ethernet is used it also loses connection.  I guess I was at a stage where it started to ping the router from WAN like:

UTM has 10.10.11.5/24 with DG set (this interface is VLAN 801 Ethernet. 

UTM has 10.10.12.4/24 with no DG set (this interface is VLAN 801) Ethernet? 

With Continuous disconnections on the internet and testing so many times the users are getting frustrated.  I guess I leave testing till Monday.  Will start fresh again.