This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM SG 135 problem with internetconnection / DHCP

Hi there,

I have a strange problem with an internet connection on an SG 135 with the current firmware version.

Two identical cable connections from Vodafone Kabel Deutschland with 1 Gbit each on ETH1 and ETH2 are configured identically on the UTM. Both lines have a static IP that is assigned by the provider via DHCP. Line one has been running smoothly for almost two years. Now a second line has been added, it always runs for about 30 minutes, then it is gone for about 30 minutes. In the log file I see that after the lease has expired, the UTM tries to re-establish the connection. She tries that for about 30 minutes, after which it works again. The uplink balancing is also correctly switched on. Both interfaces are configured as standard gateways.

I have already swapped different Internet interfaces on the UTM, no improvement. In the log file I see the following:

reverseproxy/usr/dehydrated/bin/renew_certificate.pl > /dev/null)

2020:12:22-19:29:09 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:29:30 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:29:41 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:30:00 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:30:01 gw /usr/sbin/cron[23544]: (dehydrated) CMD (/var/chroot-reverseproxy/usr/dehydrated/bin/renew_certificate.pl > /dev/null)

2020:12:22-19:30:01 gw /usr/sbin/cron[23545]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)

2020:12:22-19:30:01 gw /usr/sbin/cron[23546]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)

2020:12:22-19:30:01 gw /usr/sbin/cron[23547]: (root) CMD ( /usr/local/bin/rpmdb_backup )

2020:12:22-19:30:17 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:30:30 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:30:44 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:31:01 gw /usr/sbin/cron[24101]: (dehydrated) CMD (/var/chroot-reverseproxy/usr/dehydrated/bin/renew_certificate.pl > /dev/null)

2020:12:22-19:31:02 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:31:19 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:31:27 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:31:35 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:31:47 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:32:01 gw /usr/sbin/cron[24563]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)

2020:12:22-19:32:01 gw /usr/sbin/cron[24564]: (dehydrated) CMD (/var/chroot-reverseproxy/usr/dehydrated/bin/renew_certificate.pl > /dev/null)

2020:12:22-19:32:06 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:32:14 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:32:34 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:32:43 gw dhclient: DHCPREQUEST for 24.134.95.205 on eth1 to 88.134.230.2 port 67

2020:12:22-19:32:43 gw dhclient: DHCPACK of 24.134.95.205 from 88.134.230.2

2020:12:22-19:32:43 gw dhclient: bound to 24.134.95.205 -- renewal in 1228 seconds.

2020:12:22-19:32:48 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:33:01 gw /usr/sbin/cron[25076]: (dehydrated) CMD (/var/chroot-reverseproxy/usr/dehydrated/bin/renew_certificate.pl > /dev/null)

2020:12:22-19:33:08 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 255.255.255.255 port 67

2020:12:22-19:33:17 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 255.255.255.255 port 67

2020:12:22-19:33:26 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 255.255.255.255 port 67

2020:12:22-19:33:26 gw dhclient: DHCPACK of 24.134.237.101 from 88.134.230.2

2020:12:22-19:33:26 gw dhclient: bound to 24.134.237.101 -- renewal in 1554 seconds.

Then after a while this comes up:

19:32:06 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:32:14 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:32:34 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:32:43 gw dhclient: DHCPREQUEST for 24.134.95.205 on eth1 to 88.134.230.2 port 67

2020:12:22-19:32:43 gw dhclient: DHCPACK of 24.134.95.205 from 88.134.230.2

2020:12:22-19:32:43 gw dhclient: bound to 24.134.95.205 -- renewal in 1228 seconds.

2020:12:22-19:32:48 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 88.134.230.2 port 67

2020:12:22-19:33:01 gw /usr/sbin/cron[25076]: (dehydrated) CMD (/var/chroot-reverseproxy/usr/dehydrated/bin/renew_certificate.pl > /dev/null)

2020:12:22-19:33:08 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 255.255.255.255 port 67

2020:12:22-19:33:17 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 255.255.255.255 port 67

2020:12:22-19:33:26 gw dhclient: DHCPREQUEST for 24.134.237.101 on eth2 to 255.255.255.255 port 67

2020:12:22-19:33:26 gw dhclient: DHCPACK of 24.134.237.101 from 88.134.230.2

2020:12:22-19:33:26 gw dhclient: bound to 24.134.237.101 -- renewal in 1554 seconds.

2020:12:22-19:34:01 gw /usr/sbin/cron[25630]: (dehydrated) CMD (/var/chroot-reverseproxy/usr/dehydrated/bin/renew_certificate.pl > /dev/n


I have no idea what else to try.

Any help is very welcome.

Cheers,

Horst



This thread was automatically locked due to age.
Parents
  • Hi  ,

    thanks for the answer.

    Here are my ansers:

    What is the firmware version on your firewall? 

    Firmware is 9.705-3

    Did you define the gateway for the new WAN interface on the UTM? 

    Yes, see attachments. WAN1 & WAN2 are from the same Provider and are identical configured. WAN2 ist the one who disconnect ever 30 minutes.

    If UTM is sending DHCP requests and does not get DHCP Ack from the server, it needs to be looked at at the upstream device.

    I opend several tickets at the provider. He told me everthing is OK on his side :-(

    Thanks for helping me.

    Horst

    WAN1:

    WAN2

  • Hello Horst,

    why don‘t  you just use a static definition, if you know your static ip settings?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I tried to shutdown Line 1 wich runs all the time perfect and use only line two. After 30 minutes everything works as expectet, no disconnect. Then I start the other line . After 30 Minutes Line 2 (the bad one)got the problem again. Starting to get angry....

  • I looked at your logs again:

    eth1 immediately gets an answer "DHCPACK" to the DHPQREQUEST.

    eth2 has to ask again and again and after lots of retries finally gets its DHCPACK, too. I suspect the upstream system has a problem here.

    Did you test using Vodafone line2 with eth2 alone?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Philipp,

    yes I did. When ETH2 is the only Internetconnection it runs normally, Means no connection lost. As soon i put ETH1 online, after 30 minutes the game starts again, ETH2 disconnect again...

  • I suggest the Vodafone system gets confused by two "systems" coming to the same gateway (88.134.230.2) over the same coaxial hub. This is almost certainly a problem on the Vodafone side.

    Tell Vodafone support that you have two lines with the same config to the same location.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I allready did that. I told them 5 times that I have 2 indentical liles, but nobody cares about that.

  • Is this "Business support" or "private"?

    Welches Bundesland?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • There are 2

    Red Business Internet 1000 Cable connection with static Ips and ordered as business with 8 hour service. We are located in Saarland.

  • OK, I see a footnote in Vodafone product descrition:

    Gilt in Nordrhein-Westfalen, Hessen und Baden-Württemberg. In allen anderen Bundesländern ist eine feste IP-Adresse verfügbar.

    In Saarland there is a different way to access the backbone, than with us here in Hessen.... hmmm.

    Maybe you should tell them, that you move to Deutsche Telekom?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I allready told the that i switch, they don`t care about that :-( 

  • Hallo Horst,

    I think we all agree that this is a problem on the Vodafone side that you cannot solve. 

    You don't seem like the kind of guy that would have done anything to make the Vodafone guy so obstinate.  I would ask the Vodafone technician for his name and if he's willing to bet his job that he's right and we're all wrong.  I would then call Vodafone sales and tell them you're not getting acceptable support from the guy and that you will switch to DT if they don't get a smarter, more diligent technician on your case.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo Horst,

    I think we all agree that this is a problem on the Vodafone side that you cannot solve. 

    You don't seem like the kind of guy that would have done anything to make the Vodafone guy so obstinate.  I would ask the Vodafone technician for his name and if he's willing to bet his job that he's right and we're all wrong.  I would then call Vodafone sales and tell them you're not getting acceptable support from the guy and that you will switch to DT if they don't get a smarter, more diligent technician on your case.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children