This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Additional Address stops responding

Posting this question again on the new forum..  Here is the link to the old: https://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/59993-additional-address-stops-responding.html


Still battling this problem.  Wondering if it is MAC/arp related.  I can't seem to find anywhere in the firewall interface that the arp cache can be cleared as a troubleshooting step....  I have since installed UTM 9 on a desktop computer and imported my config.  SAME ISSUE!!  so it doesn't appear to be related to the VMware environment.

old post details

~~~

Hello Sophos forum.. I have a strange problem with an additional address on my Sophos VM here in my home lab. Hoping someone can provide some insight. First some details on my environment.

VMware vSphere 5.5 U3
Procurve 2810-24G switch
Each ESXi host is connected to the network with 3 Network cards, Intel based server grade hardware.


What Changed:
Issue began after moving from vSwitch to Distributed Virtual Switch. Moved from LACP/IP-Hash load balancing to LBT with no LACP.. (Load based on physical NIC)


Problem description:
I have one WAN interface connected to an ISP that provides two static IP addresses in the same subnet. The primary IP is assigned to the WAN interface in the traditional manner and there are a handful of NAT policies for services forward to internal hosts. This primary address seems to function reliably. Only one masquerading NAT policy exists and all internal hosts access the internet out this IP.

The second address is configured on the same interface as an "additional address". One or two services are forwarded to an internal host, otherwise the IP isn't used for anything else.

The issue is that after about 24 hours of runtime the second address appears to stop functioning.. The only way I have found to work around the problem is to restart the firewall. After a restart the second address inbound services function as expected.


Attempted to troubleshoot issue:
1. Re-create VM and import settings, same problem.
2. Attempt VMware hardware version 8 and 10, same problem.
3. Clear arp cache from switch while the issue is occurring, same problem.
4. Change mask of "additional address" from ISP recommendation to /32, same problem.
5. Disable spanning-tree and loop protect on swtich. same problem.

I thought maybe creating a policy based route so that the internal hosts using 2nd address NAT'd services would be forced to respond using the 2nd WAN IP, but I am grabbing at straws here. And why would it work at all if this needed to be done..... Hmm.. Scratching head....



This thread was automatically locked due to age.
Parents Reply Children
No Data