This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebAdmin Inaccessible: Needs to Be Fixed via CLI throuch CC

I've lost the content of this post twice after a window resize, so it has the bare minimum

UTM 9.605-1 is ran within a VM on ESXi 6.7. 

  • WebAdmin is accessible via a new install [of Sophos], but upon restoring a known good [Sophos] backup config, WebAdmin is no longer accessible, even though UTM is being correctly assigned an IP. 

The issue either resides within the allowed networks for WebAdmin and/or the default internal network, or some other network setting having to do with br0, as I've had this issue before, but lost the bookmark with the correct cc commands to fix.

sophos-utm:/var/log # cc get webadmin allowed_networks
[
'REF_NetworkAny',
'REF_NetNetAnyInterna'
]

sophos-utm:/var/log # cc get_object 'REF_DefaultInternalNetwork'
0
  • EDIT:
    • I've added REF_NetworkAny & REF_NetNetAnyInterna to allowed_networks via cc, removing all others
     
    • After further troubleshooting, I'm able to replicate on a new install of Sophos by doing the following:
      1. VM created with eth0 - eth3, with only eth0 set up as an interface within Sophos (LAN DHCP: 192.168.2.45/26)
      2. Edit eth0, changing it to a bridge and adding eth1, saving changes
        • Waited 5min to allow UTM to fully set up the new bridge and restart services on the backend
        • WebAdmin still accessible
      3. Edit the newly created bridge, unticking eth1 from the bridge, saving changes
        • This results in the WebAdmin becoming inaccessible on 192.168.2.45/26, even after a reboot.

 VM Switches: eth0 - eth3

  • eth0 & eth1: bridged into br0
    • Assigned a static IP via OpenWrt, 192.168.2.1/26
  • eth2 & eth3: irrelevant to this issue
  • All Interfaces: br0, eth0 - eth3, ifb0 - ifb4, lo, tun0

WebAdmin192.168.2.1:443 on br0



This thread was automatically locked due to age.
Parents
  • With ~235 views thus far and not a single reply, the only fix I can think of is to boot up a second VM and manually transfer over each network definition one by one to a new install of UTM... Clearly Sophos' forum is still suffering from the same issue that's hounded this forum since Sophos shut down the Astaro forum... there's simply a lack of knowledgeable users on this forum due to losing those voices years ago when the switch occurred, and it's abundantly clear those users never bothered coming back (it's why I left after all).

    • I don't have some weird, one-off setup that's outside the norm... what's occurring should not be occurring on a simple 4 switch setup (3 LAN, 1 WAN)



    The issue did end up being the bridge of eth0 & eth1, coupled with the hardware MACs of the 4 ethernet ports, as the previous server board's hardware MACs were still attached to the 4 interfaces within the old Sophos config.  After manually assigning the old hardware MACs in the VM's settings, then removing all interfaces except eth0, allowed me to manually assign the WebAdmin IP to eth0 via ifconfig, restoring temporary access.

    •  It should also be notated that even though I re-gained WebAdmin access, it's now impossible to utilize any of the backup configs I have because UTM is incorrectly modifying the hardware switch layout, switching eth1 <-> eth3, where eth1 is a LAN port and eth3 is the WAN port.  I've tried deleting all interfaces, adding them back one by one in chronological order (eth0, eth1, eth2, then eth3), shutting down UTM before adding the next, and as soon as eth3 is added, UTM replaces eth1 with eth3 and eth3 with eth1, regardless of the hardware MACs.
      • To provide a visual, prior to eth3 being added, ifconfig and WebAdmin will show eth0 with a MAC ending in 00, eth1 ending in 01, eth2 ending in 02eth3's MAC ends in 03, yet as soon as eth3 is added, eth0 ends in 00, eth1 ends in 03, eth2 in 02, and eth3 in 01.

    • I deleted all interfaces and switches from ESXi, except for vSwitch0 (eth0, as it houses the kernel management switch), re-creating all interfaces on both ESXi and Sophos, yet I am unable to get Sophos to stop switching eth1 <-> eth3.
      • I've modified the hardware switches themselves under cc OBJS (yes, I did write the changes before exiting), swapping eth1's and eth3's hardware MACs to the correct ones, yet as soon as a reboot occurs, UTM switches them back... WTF
        (changes in the OBJS database are supposed to survive reboots).

    SilverStone DS380 | AsRock C2750D4I | Alienware 18 In Win Chopin | SuperMicro A1SRi-2758F
    2.4gHz 8C C2750 ; 32GB ECC | 2.5gHz 4C i7 4710MQ ; 32GB 2.4gHz 8C C2758 ; 32GB ECC
    Vantec 4C USB3 PCIe UGT-PCE430-4C | 8GB AMD SLI R9 M290x |
    SSD  | 850 EVO: 120GB | 1TB ; mSATA: 1TB (2) | 850 Pro: 128GB ; 850 EVO: 1TB
    HDD | Seagate: { ST4000VN000 (8) } Z2 ; { HGST HTS721010A (3) } Z2 |
    FreeNAS 11.2 | { PNY Turbo USB3 32GB (2) } Mirror | Win 10 Pro | ESXi 6.7: Sophos UTM 9.6

    Various Wikis, Scripts, & Configs | Prebuilt OpenSSL Config

  • JW, in order to promote more participation, I won't read any thread that has a post newer than yesterday - I suspect others do something similar.  In this case, I would try editing /etc/udev/rules.d/70-persistent-net.rules to change the NIC order to what existed in your prior VM.  Don't forget to reboot after you save the changed file.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • JW, in order to promote more participation, I won't read any thread that has a post newer than yesterday - I suspect others do something similar.  In this case, I would try editing /etc/udev/rules.d/70-persistent-net.rules to change the NIC order to what existed in your prior VM.  Don't forget to reboot after you save the changed file.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Bob, thanks a bunch! that worked =]

     

    TL;DR: nothing below has to do with OP issue

    My frustration wasn't directed towards you, any moderator, or any other knowledgeable member who contributes to this forum.  Technical knowledge with Sophos comes from experience using it, and by essentially ostracizing the veteran Astaro forum users when the abrupt switch was made to this current forum years ago, it severely damaged the knowledge base of users to pull from.  My frustration doesn't come from not receiving an answer right away (I expect not to get answers on forums for a few days), but from the amount of views this had without a single response, which shows this forum has still not recovered from the damage Sophos inflicted upon it years ago... that's what's frustrating.

    It's frustrating to me that while Sophos' forum is a better layout, the "I don't care about current users' experience" rollout by Sophos years ago, with the abrupt shutdown of the Astaro phpBB-based forum, resulted with a large number of knowledgeable users of UTM simply throwing up their hands to community involvement because this forum looks and operates nothing like the phpBB-based forum Astaro was; this made navigating this new forum a massive, frustrating inconvenience.  So when a technical issue gets hundreds of views and no responses, it's frustrating that Sophos pushed out a lot of previous Astaro forum members who would have been able to chime in. I understand and agree with your point about not responding for a day to encourage community participation, as Sophos expecting yourself and a handful of others to always respond with technical advice isn't sustainable, let alone practical. 

    SilverStone DS380 | AsRock C2750D4I | Alienware 18 In Win Chopin | SuperMicro A1SRi-2758F
    2.4gHz 8C C2750 ; 32GB ECC | 2.5gHz 4C i7 4710MQ ; 32GB 2.4gHz 8C C2758 ; 32GB ECC
    Vantec 4C USB3 PCIe UGT-PCE430-4C | 8GB AMD SLI R9 M290x |
    SSD  | 850 EVO: 120GB | 1TB ; mSATA: 1TB (2) | 850 Pro: 128GB ; 850 EVO: 1TB
    HDD | Seagate: { ST4000VN000 (8) } Z2 ; { HGST HTS721010A (3) } Z2 |
    FreeNAS 11.2 | { PNY Turbo USB3 32GB (2) } Mirror | Win 10 Pro | ESXi 6.7: Sophos UTM 9.6

    Various Wikis, Scripts, & Configs | Prebuilt OpenSSL Config