SG 310(firmware 9.355-1) between a cisco switch 2960(vlan801) and cisco router 2911 (2911 connected to 2960 on WAN connection). No internet - nothing works

Hi, and welcome to the UTM Community!

Agreed with Dlabun.  Then again, to which "Sophos techs" are you referring?

Cheers - Bob

BALfson;

I am referring to Sophos UTM support: https://doc.sophos.com/support/help/en-us/contact/index.html 

Dlabun,

Now that will be too much work for ISP to change their existing layout and charge us more money.

There are many reasons for which this internet line was used between two locations. 

1) to keep one routing device.

2) To keep 2 physical locations in AD as separate sites.  For ease of manageability for users/hardware etc

3)Not to load each other subnet with loads of traffic

3)Though our locations are different but similar in many many ways.

In fact this type of connection exist between our locations for more than 20 years. I will contact my re-seller and find out what can be done to get the internet via UTM.

Thanks guys I really appreciate your time in this.

Hi Adman,

Dlabun is right. Now we know more about your setup, it is indeed a private circuit and the UTM may not be necessary. That said, it sounds as though you want to change the topology of the network and break it further down into different subnets?

If that is the case, I would place a UTM or router on the right hand side and then use a different subnet to break up the network/collision domain. This would then mean that all traffic after the UTM or router would be on an entirely different subnet and would need configuring as such.

The appropriate routing would also have to entered on the Cisco on the left hand side also?

Is this what you want? Both sides can still belong to the same domain in AD but they would be in totally different subnets?

Please ignore my previous post about natting etc (unless you want the above) as I wasn't sure of your setup and it's becoming more clearer as we speak.

Hi Dlabun,

Both of our physical sites have already different subnets, no issue there. 

******************

If that is the case, I would place a UTM or router on the right hand side and then use a different subnet to break up the network/collision domain. This would then mean that all traffic after the UTM or router would be on an entirely different subnet and would need configuring as such.

*********************************

that's I am trying to do putting in the UTM on the right hand side.  I guess here the UTM has to act as my switch 2960 (how to convert UTM into a switch like cisco 2960 I do not know?), its already an entirely different subnet so UTM should not have any trouble. 

**************************

Is this what you want? Both sides can still belong to the same domain in AD but they would be in totally different subnets?

*********************************************************************************8

Both sides are in the same domain and have totally different subnets.  Right side is 10.10.11.0/24  and left 10.10.10.0/24, routing is done by Cisco 2911 for both subnets.

Gentlemen,

This might help you.  Back in 2011/2012 I was testing Astaro 220 appliance on the same site with subnet 10.10.11.0/24 (right hand side) and I could vaguely remember using the port monitoring on my switch cisco 2960 and things worked great at that time.  Since that was a test unit I had to send Astaro back as it was loaned to me for testing.  I cannot even find the backup file otherwise I could restore the same backup.

If the above setup does not work, can SG 310 be simply setup to see the traffic via port monitoring/mirroring through switch?

I'm still not sure whether is would work out as being a bridge.

I think in the above case, I would put the UTM in with a WAN address of 10.10.11.1/24 and then an entirely different subnet behind that eg 10.1.1.0/24 or 172.16.x.x/24 etc

The above would work as the UTM would have a WAN address of say 10.10.11.1/24 and the Cisco 2911 would know how to get to that. Obviously, if you put another subnet on the LAN of the UTM, say 172.16.1.0/24, you would have to put the static route into the 2911 ie route 172.16.1.0 255.255.255.0 10.10.11.1

That will work as but you have to have WAN connectivity first and that's if you want to go this way

Thanks Louis,

Tomorrow I am scheduled with the Sophos escalations team on UTM.  I will keep you posted on the results.

Thanks

As long and complex as this thread had become, I hesitated to do anything other than scan it.  A quick glance showed that VLAN 1 is in use.  VLAN 1 is reserved for Wireless Protection in the UTM.  Does changing that VLAN setting make any difference?

Cheers - Bob

Bob,

Our UTM has no licenses for Wireless.  If that still in effect I will try disabling on the UTM.  Escalations team found one interesting thing.  They say my layer 2 switch 2960 is not responding to ARP request.  So I checked my router 2911 and there was the ARP entry.  Do not know why they want a layer 2 switch to respond on an ARP request.  So I took another switch and it did the same thing 'no reply to ARP'  What does this prove? 

Under the whole above scenario the WAN works fine and I am able to ping 8.8.8.8 and my DG i.e my cisco router 2911.

The other frustrating thing about this UTM is if I remove  DG from the bridge and put the DG on say VLAN801, the UTM freezes and loses connectivity to the switch.  May be escalations kept on checking while the switch had no connectivity to the UTM.  In such a case the UTM has to be factory default and restored into a new backup.  I will check it tomorrow.

Also I am destined to check this set up using a layer 3 switch and see if that makes the UTM happy. 

Thanks

Adman, I don't doubt that you're a very knowledgeable guy, but the UTM is a bit of a different beast.  WebAdmin is used to maintain databases of settings and objects.  The config daemon consults these and then writes the 1000s of lines of code that actually perform the functions.  As a result, a single change in WebAdmin might result in 100s of new/changed lines of code.

Does disabling Wireless Protection allow the use of VLAN 1?  Maybe. Probably mostly.  You still should change to a different VLAN just as a way of eliminating the possibility that this is at the root of your unusual problem.

Cheers - Bob

I think you have to start from scratch here. The 2960 obviously has an ip address on vlan ? If you plug that into the UTM, can it be pinged?

I've got 6 2960's plugged into 2 UTM's and they work. The ports on the switches are set to trunk mode.

Bob,

Thanks

Not sure how to disable the wireless protection when I do not have to license for it.  Do I need to go into the shell and do it? what is the command for that?

Well this whole site works under vlan 801, if I switch Vlans then the switch 2960 loses connection to my cisco router 2911.

Any other suggestion? is welcome.

Bob,

Thanks

Not sure how to disable the wireless protection when I do not have to license for it.  Do I need to go into the shell and do it? what is the command for that?

Well this whole site works under vlan 801, if I switch Vlans then the switch 2960 loses connection to my cisco router 2911.

Any other suggestion? is welcome.