Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 5881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I ping over a specific interface without using the UTM Tools?

Christoph Müller

Hello everyone,

 

I have already looked up anything I could for this particular problem and in earlier firmware versions this seems possible.

Background: 
I have a customer that wants to perma-ping some IPs in the public web for diagnostic reasons. The customer has two WAN interfaces and one of these is reserved for connections to those public IPs he wants to ping.

Now normally I would simply say "use the UTMs tools" but he wants a continuous ping for likely hours which the UTM does not provide in the GUI.
So I tried to configure it in the multipathing and I get this:

 Please note, that this is a recreation on my firewall, not the customers. Both use 9.510 as firmware and are the same model.

I have 0 ideas how to get around this.

Can anyone shoot me some ideas on how to get this config working? I need to get one specific desktop to ping stuff on the internet over one interface of the UTM.

 

Thanks in advance!


Regards
~ Chris



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Chris and welcome to the UTM Community!

    We don't really know the problem your customer is trying to solve, only the solution that he's imagined.  Will Uplink Monitoring give them what they need?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hey Bob,

    thanks for the answer and suggestion.

    I don't think it will though. Uplink monitoring just checks if there is something reachable through the uplink interface, correct?

    The customer basically has some latency issues that he tries to make sense of. The public IPs he is trying to reach are rented and the provider is not acknowledging the issues.

    Thus our customer is trying to get at least reproducable proof about what is happening, ideally with a timestamp.
    You can do that via scripted ping. At least this way you get the response times and timeouts with a time and date that he can hit the provider with.
    Only issue with that plan is that the ping would currently be sent over the default WAN and he has another WAN that is reserved for the connections to those webservers so we need to check over this specific second WAN interface.

    We already know that the WAN interface should not be the root of these issues as I have checked from different sources towards that WAN interface of our customer and the interface itself seems to work perfectly.

    Best regards,

    Chris

Reply
  • 0 in reply to BAlfson

    Hey Bob,

    thanks for the answer and suggestion.

    I don't think it will though. Uplink monitoring just checks if there is something reachable through the uplink interface, correct?

    The customer basically has some latency issues that he tries to make sense of. The public IPs he is trying to reach are rented and the provider is not acknowledging the issues.

    Thus our customer is trying to get at least reproducable proof about what is happening, ideally with a timestamp.
    You can do that via scripted ping. At least this way you get the response times and timeouts with a time and date that he can hit the provider with.
    Only issue with that plan is that the ping would currently be sent over the default WAN and he has another WAN that is reserved for the connections to those webservers so we need to check over this specific second WAN interface.

    We already know that the WAN interface should not be the root of these issues as I have checked from different sources towards that WAN interface of our customer and the interface itself seems to work perfectly.

    Best regards,

    Chris

Children
  • +1 in reply to Christoph Müller

    Hi Chris,

    i can confirm that you cant use ICMP in Multipath rules in 9.6 either.

    You could try using Policy Routes like this:

     

    If you have static routes configured please use "internet v4" instead of "any" in "Destination Network" otherwise you'll break your ICMP communication in those networks.

    If you know the destination IPs you can insert them as Network group object in "Destination Network" Field.

    Yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • 0 in reply to lna

    Hey Lukas,

    thanks, I have not thought about policy routes in this constellation.

    This should work as I can either put in the whole network or probably single IPs too for the source.

     

    I will have our customer try this ASAP.

     

    Thanks again!

     

    Best regards

    Chris

  • +1 in reply to Christoph Müller

    In fact, Chris, Uplink Monitoring can do precisely that and the Notification system can send an immediate email and SNMP alert.  See the second exception in #3 in Rulz.

    Latency issues?  As a mod, I see that you're in Germany.   There have been problems there with some ISPs handing out an MTU of 576 with their DHCP.  You might check the Interface definition to confirm that this isn't a problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hey Bob, 

    thanks again for the help and information.

    Appearantly it is not only a problem with one IP but the others are used less and the problems have just not been apparent to the users yet.
    I will have our customer set up the uplink monitoring after we have recorded a few days of pings to the servers (simultaneous ping to 3 IPs). 

    We want to see first if the response times will diverge and if so, how big the stretch is. 

    Parallel we will ping some neutral hosts like google and our datacenter in Frankfurt. This should give us some overview if there is any issue with the WAN from the ISP. We don't expect it to be, but you never know.

     

    I think we can consider this issue closed.

     

    Cheers

    Chris

Unfiltered HTML