This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG 310(firmware 9.355-1) between a cisco switch 2960(vlan801) and cisco router 2911 (2911 connected to 2960 on WAN connection). No internet - nothing works

SG 310(firmware 9.355-1) appliance when installed between a cisco 2960(vlan801) and cisco router 2911 Default gateway (2911 connected to 2960 on WAN connection). SG310 blocks the internet and cannot even ping the DG which is cisco 2911.  
Here is the net config:  My subnet is 10.10.11.0/24 cisco 2960 (vlan 801) is connected to router cisco 2911 connected via internet WAN connection, everything works great.  The moment SG 310 (in a bridge) is introduced between the switch 2960 and the router 2911 it blocks all protocols, internally i can see the flowing firewall logs and mostly it is blocking external traffic, drop packets TCP etc.  Eth1 WAN port on SG310 is connected to the internet connection (WAN from the internet to  my router 2911), and Eth0 LAN port on SG310 goes into my cisco switch 2960.  This does not work.  Sophos techs have checked all the internal config on the SG310 like firewall etc and cannot detect any running logs as the connection drops the mement SG310 is introduced.  Need help

Cisco 2960     ............................> >>>>  LAN   SG310 UTM    WAN port<<<<<.........Cloud + ISP....................>>>>>Router Cisco 2911

Vlan 801                                                             STOPS ALL TRAFFIC                                                                                                                                                                                              All routing here at 2911

subnet 10.10.11.0/24



This thread was automatically locked due to age.
Parents
  • Hi, and welcome to the UTM Community!

    Agreed with Dlabun.  Then again, to which "Sophos techs" are you referring?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BALfson;

    I am referring to Sophos UTM support: https://doc.sophos.com/support/help/en-us/contact/index.html 

    I have been working with Sophos UTM for a long time now.  As at our one location 1 we have no issues with SG 310. 
    This brand new install at location 2 is causing issues.
  • As long and complex as this thread had become, I hesitated to do anything other than scan it.  A quick glance showed that VLAN 1 is in use.  VLAN 1 is reserved for Wireless Protection in the UTM.  Does changing that VLAN setting make any difference?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    Our UTM has no licenses for Wireless.  If that still in effect I will try disabling on the UTM.  Escalations team found one interesting thing.  They say my layer 2 switch 2960 is not responding to ARP request.  So I checked my router 2911 and there was the ARP entry.  Do not know why they want a layer 2 switch to respond on an ARP request.  So I took another switch and it did the same thing 'no reply to ARP'  What does this prove? 

    Under the whole above scenario the WAN works fine and I am able to ping 8.8.8.8 and my DG i.e my cisco router 2911.

    The other frustrating thing about this UTM is if I remove  DG from the bridge and put the DG on say VLAN801, the UTM freezes and loses connectivity to the switch.  May be escalations kept on checking while the switch had no connectivity to the UTM.  In such a case the UTM has to be factory default and restored into a new backup.  I will check it tomorrow.

    Also I am destined to check this set up using a layer 3 switch and see if that makes the UTM happy. 

    Thanks

  • Adman, I don't doubt that you're a very knowledgeable guy, but the UTM is a bit of a different beast.  WebAdmin is used to maintain databases of settings and objects.  The config daemon consults these and then writes the 1000s of lines of code that actually perform the functions.  As a result, a single change in WebAdmin might result in 100s of new/changed lines of code.

    Does disabling Wireless Protection allow the use of VLAN 1?  Maybe. Probably mostly.  You still should change to a different VLAN just as a way of eliminating the possibility that this is at the root of your unusual problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I think you have to start from scratch here. The 2960 obviously has an ip address on vlan ? If you plug that into the UTM, can it be pinged?

    I've got 6 2960's plugged into 2 UTM's and they work. The ports on the switches are set to trunk mode.

  • Bob,

    Thanks

    Not sure how to disable the wireless protection when I do not have to license for it.  Do I need to go into the shell and do it? what is the command for that?

    Well this whole site works under vlan 801, if I switch Vlans then the switch 2960 loses connection to my cisco router 2911.

    Any other suggestion? is welcome.

  • Louis-M,

    This is funny believe me I have started many times from the scratch. 

    2960 has the IP on vlan 801 which is 10.10.11.252.  The switch only pings the UTM if the bridge br0 has any IP, so I assign an IP on the bridge 10.10.11.4 to make the switch 2960 ping this UTM at 10.10.11.4.  Then I assign on the UTM the IP to the Vlan 801 as 10.10.11.5.  Then I put the wan into the UTM and the LAN to my switch............No internet. 

    If I remove the IP from the bridge and make it 0.0.0.0./0. then there is no more pinging from the switch to the UTM.  Though it should ping the VLan 801 ip 10.10.11.5, but no luck.

    Well here is my config from port 48 which is in trunk on the switch:

    Bur_Camp_Cisco2960#show interfaces trunk

    Port        Mode             Encapsulation  Status        Native vlan
    Gi0/48      auto             802.1q         trunking      1

    Port        Vlans allowed on trunk
    Gi0/48      1-4094

    Port        Vlans allowed and active in management domain
    Gi0/48      1,92,420,425,801

    Port        Vlans in spanning tree forwarding state and not pruned
    Gi0/48      1,92,420,425,801

    I will try one more time, but I am sure I have already tested this connection as well.

    I have checked with a BRAND NEW CISCO switch catalyst 2940 and UTM did the same thing 'NO internet' .  Either some routing path need to be set on UTM or UTM itself has some hardware/protocol adjustment.  Not sure.

    I am going to try now with a layer 3 switch.  Just in the process of getting one as these switches cost a fortune.  We have already spend a fortune buying this UTM at around $10K and now to make it happy need to topple the whole network infrastructure by buying more devices......Funny.

  • How precious are you about the lan subnet on the right hand side?

    Just as a test, set the UTM up without bridging so the 801 vlan becomes the WAN of the UTM. Have a totally different LAN subnet and use natting etc ie bog standard setup for the UTM. Test a ping from the UTM WAN to the Cisco from there to see if that works. The test from the LAN to see if you can reach the Cisco 2911.

    I have:

    LAN >>> 2x 3750 >>> 2x UTM SG310 >>> 2x 2960s >>> Internet so they do work. I can only think it's something to do with the bridging on the UTM as I've never set this up.

    But where 802.1q vlan's are involved on the UTM, the interfaces must be configure with ethernet vlan type (not just ethernet) and the Cisco's must have trunk set on the interfaces that connect to the UTM.

    If you are just using ethernet on the UTM, then it is sufficient to have switchport mode access on the Cisco's.

  • Ok here is I can try:

    - On my UTM I will assign Ethernet Vlan 801 to eth1 WAN port, assign it IP 10.10.11.4 (not sure to assign Proxy ARP or enable spanning tree protocol?) connect it to internet cable coming from my router cisco 2911.

    -On my UTM I will assign Ethernet Vlan 801 to eth 0 LAN port, assign it IP 192.168.0.5 (not sure to assign Proxy ARP or enable spanning tree protocol?), connect it to port 48 on my Cisco 2960 which is in trunk and allowing all Vlans.  Here I have to also allow 192.168.0.0/24 to my DHCP scope.  I am sure I have to change the IP of vlan 801 on my cisco 2960?.  This is you want me to check?

    Thanks

  • Yes give that a shot. Make a different vlan for the LAN side eg vlan 899 or something and then find a free port on the 2960s and do a switchport mode access and switchport access vlan 899. Plug a laptop a laptop/pc into that and if alls well, you should get an ip from the dhcp server you have configured for that vlan 899 ie a LAN ip address eg 192.168.0.100/24

    You can configure this yourself or do a reset and I think the UTM might go through a wizard

    So:

    UTM:

    WAN = vlan 801 (select vlan ethernet type). Don't forget gateway here which is your Cisco 2911 ip
    LAN = vlan 899 (select vlan ethernet type)   >>> leave in port 48 2960s. You will need to configure DHCP, firewall rules to let traffic through etc

    2960:

    leave UTM connected to port 48. create another vlan 899 and another port with that vlan assigned in access mode to vlan 899

  • - Ran default setup with WAN under VLAN 801 10.10.11.5/24  ............no luck, LAN 10.10.12.0/24 No luck on internet.  Tried putting LAN as well under 801, still no luck  Made a management interface, From tools I was able to ping my cisco router, and outside 8.8.8.8
    but not internally to any of my Domain controllers.  So no internet.

    -Kept on checking the firewall logs and it simply DROPs TCP, ICMP, SMTP etc.

    I give up on this UTM. 

    Also now I have no assurance that it will work once I have a layer 3 switch.

Reply
  • - Ran default setup with WAN under VLAN 801 10.10.11.5/24  ............no luck, LAN 10.10.12.0/24 No luck on internet.  Tried putting LAN as well under 801, still no luck  Made a management interface, From tools I was able to ping my cisco router, and outside 8.8.8.8
    but not internally to any of my Domain controllers.  So no internet.

    -Kept on checking the firewall logs and it simply DROPs TCP, ICMP, SMTP etc.

    I give up on this UTM. 

    Also now I have no assurance that it will work once I have a layer 3 switch.

Children
  • Ok, we have a start.

    You have a successful WAN as you can ping the Cisco router.

    You now need to concentrate on the LAN side. If you configured the LAN as we mentioned above, can you get a ping from the laptop or pc connected to the vlan that the LAN is on? Once we've confirmed that, we can start on the next step ie routing, nat & firewall rules.

  • Louis,

    You seem like a warrior, not giving up on this as yet?

    The same behavior this UTM offered under the bridge, WAN connection exist but no connection between the UTM and the Cisco 2960 switch.

     In any case I was driving myself too deep into it, and changed something.  I guess I have to start all over again.  One thing I observed on the LAN connection, unless the LAN has an IP from the same subnet under which the switch operates (10.10.11.0/24) UTM loses connection and also if the simple Ethernet is used it also loses connection.  I guess I was at a stage where it started to ping the router from WAN like:

    UTM has 10.10.11.5/24 with DG set (this interface is VLAN 801 Ethernet. 

    UTM has 10.10.12.4/24 with no DG set (this interface is VLAN 801) Ethernet? 

    With Continuous disconnections on the internet and testing so many times the users are getting frustrated.  I guess I leave testing till Monday.  Will start fresh again.

  • Gentlemen,

    Finally after approx. 3months.  Today I got a test layer3 switch Brocade ICX 6610.  The moment the switch was installed with the same config as (Cisco 2960) things started to work without any trouble.  The network got the internet once this switch was installed behind SG 310.  Sophos did not suggest that under my scenario we would require a layer 3 switch.  Though the case went till the global support.

    I am pretty happy on all the things working after such a long time, but still we have to pay extra on top of buying SG310 and that is the layer 3 switch. :)

  • Sorry, I'd forgotten all about this. I'm not sure why a L3 switch with the same config as a L2 Switch (2960) would have any effect.

    Although you can get a 2960 with lite layer 3 options although most would use this and get a full layer 3 switch eg 3750 etc

    Glad you've got it going but I'm still at a loss as to how it works