This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM does not recognize IP change on uplink interface

Hello,

Recently I installed a second WAN uplink using a LTE router. The router is powered with POE and is configured in bridge mode. Basically internet access works including multipath rules and uplink monitoring.

The IPs I get on the LTE link are dynamic and change everytime the connection is lost an reestablished. I configured the Interface at the UTM accordingly. My problem is that the UTM does not recognize if the external IP changes. I have to manually renew the IP (click the button).

In the logs I can see that the UTM gets a IP lease at first connection. If the connection drops the uplink monitoring recognizes that the connection is not working anymore. After the connection is restablished (with a new IP address) the old lease still seems to be used but of couse no communication is possible this way.

Is this a bug or is there a way to configure the UTM to get the new IP address on reconnection?

Thanks.



This thread was automatically locked due to age.
  • Hi Tpok, 

    When the interface uses a dynamic address allocation scheme (such as DHCP or remote assignment), these definitions are automatically updated. All settings referring to these definitions, for example, firewall and NAT rules, will also automatically be updated with the changed addresses. What is the firmware version of the UTM? Any specific custom settings for Uplink or interface definitions? Is Auto Negotiation enable for the interface, check in Interfaces & Routing > Interfaces > Hardware.

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin,

    thanks for your answer but I think you missed the point in my first post. So please let me try to explain it a little further.

    I know how the dynamic address allocation should work. And it works the first time the LTE router is connected or I manually trigger a renewal of the IP address. But if the connection is lost afterwards there seems to be no trigger for the UTM to renew the dynamic IP address. The behavior is the following:

     

    First time connection (link goes up - WAN Interface des not have an address yet), LTE router is connected to the mobile network

    • UTM sends a DHCPDISCOVER to the LTE router
    • UTM gets the dynamic IP address (DHCPOFFER etc.) with a lease time
    • Uplink Monitoring can now ping the monitoring hosts and recognizes the connection as UP
    • now everything is working

    Now the LTE router looses the connection to the mobile network

    • Uplink Monitoring cannot ping the monitoring hosts anymore recognizes the connection as DOWN
    • WAN interface keeps the dynamic IP address (because the lease time is not over)

    Now the LTE router reconnects to the mobile network. If it gets the same IP address from the provider everything is fine. But let's assume it gets a different IP address

    • WAN interface still keeps the old dynamic IP address. Nothing triggers the interface to get the new ip address
    • Uplink Monitoring still cannot ping the monitoring hosts because the WAN IP is wrong

     

    My question is, how is this supposed to work? Nothing seems to trigger the interface to get a new IP address automatically. I can manually push the "renew" button or set the link down and up again but this is not a solution.

    Has anybody a working setup here or an idea how this should work?

  • I dont know if i get you right, but what if you specify a manual monitoring target, like 8.8.8.8?

  • Thanks for detailed explanation, as I mentioned in my previous response, the interfaces will automatically update itself with a new IP address. Verify one setting in Interfaces > Uplink Balancing > Monitoring Hosts > click on the wrenches option; what is the interval and timeout value set for the UTM to do the connectivity check here? 

    Interval: Enter a time interval in seconds at which the hosts are checked.

    Timeout: Enter a maximum time span in seconds for the monitoring hosts to send a response. If all monitoring hosts of an interface do not respond during this time, the interface will be regarded as dead.

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • TPok, you didn't say which version you're using.  If using custom Monitoring Hosts doesn't fix this, I would guess that the issue is the LTE connection (modem, ISP, etc.).

    Assuming that REF_IntPppsXXXXXX is the REF_ of the Interface, you can do a renew from the command line with:

    cc interface_dhcp_renew_lease REF_IntPppsXXXXXX

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The UTM version is 9.509-3. Uplink Monitoring is setup with custom hosts and timeout values like suggested.

    As stated above the problem is not about Uplink Monitoring. This works fine and detects if the connection is up or down. The problem is about the change of the ip address on one uplink interface that the UTM does not detect and tries to communicate with the old address.

    Triggering the UTM to renew the ip address manually works. No matter if doing this through WebAdmin or the command line. The problem seems to be a missing trigger that tells the UTM to renew the ip address automatically after it changed.

    As I don't know how to explain it more detailled the I did before I will open a support case. I think I have to show this to someone during a remote presentation. It seems to be to complex to explain it just with words.

  • I think your explanation is very clear TPok, but my guess is that the issue is an incompatibility with the LTE router.  Please let us know what Support has to say.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA