Thread Info
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 168 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ICMP/Ping not working for Additional Interface IPs

AMU

Hi Sophos  Experts,

I have two LAG (Link Aggregation Groups) configured on Sophos UTM.

LAG 0   Ports: eth0 and eth1    (not connected/configured/disabled)

LAG 1  Ports: eth2 and eth3     (connected/configured)      192.168.X.1 VIP and two additional IPs assigned to each device in HA cluster (192.166.X.2 for UTM1 and  192.166.X.3 for UTM2).

eth5:   HA  

LAG1  Ports: eth2 and eth3 are connected to two redundant switches. 

I can ping the VIP (192.168.X.1) but can't ping additional IPs (192.166.X.2 for UTM1 and  192.166.X.3 for UTM2).  I have enabled/disabled  the "Global ICMP and ping" settings under Firewall --> ICMP tab and also added corresponding firewall rules to allow ICMP/Ping but I am not able to Ping the additional IPs.

Any idea why ICMP/Ping is not working?



Thanks in advance.



This thread was automatically locked due to age.
Parents

  • Hallo,

    I've not seen a cluster where there are different IPs assigned to the same interface of the clustered devices.  In my experience, they must be identical.  If you've managed to assign different IPs in WebAdmin on different machines, I suspect that the config daemon was confused and wrote code giving you the result you're getting.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thanks Bob for your quick reply. Its a Active/Standby HA configuration. I have always done this.  


    Interfaces & Routing -> Interfaces-> Interfaces Tab                        VIP is configured under Interfaces Tab

    Interfaces & Routing -> Interfaces-> Additional Addresses Tab     Individual (Alias) IPs  in the same network mapped to each device

    These individual IPs are used for device monitoring (SNMP) from a software.  I have always configured it like this and we were able to access all three IPs.  One VIP which is always present on Active device, and the other two for each device.  All IPs are in same subnet e.g. 192.168.10.1 (VIP), 192.168.10.2 (Sophos UTM1), 192.168.10.3 (Sophos UTM2).

    The only difference is that this time I have used LAG1 (Ports eth2 and eth3) instead of earlier scenarios where I always used LAG0 (Ports eth0 and eth1) and it always worked without any issue.  May be somehow these ports difference is causing this issue?

    Thanks.

Reply
  • in reply to BAlfson

    Thanks Bob for your quick reply. Its a Active/Standby HA configuration. I have always done this.  


    Interfaces & Routing -> Interfaces-> Interfaces Tab                        VIP is configured under Interfaces Tab

    Interfaces & Routing -> Interfaces-> Additional Addresses Tab     Individual (Alias) IPs  in the same network mapped to each device

    These individual IPs are used for device monitoring (SNMP) from a software.  I have always configured it like this and we were able to access all three IPs.  One VIP which is always present on Active device, and the other two for each device.  All IPs are in same subnet e.g. 192.168.10.1 (VIP), 192.168.10.2 (Sophos UTM1), 192.168.10.3 (Sophos UTM2).

    The only difference is that this time I have used LAG1 (Ports eth2 and eth3) instead of earlier scenarios where I always used LAG0 (Ports eth0 and eth1) and it always worked without any issue.  May be somehow these ports difference is causing this issue?

    Thanks.

Children
No Data
Unfiltered HTML