This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED Client-Tunnel shows "online" , but keeps yellow and no traffic is passing the tunnel.

Hi all,

i build a SG-2-SG connection via RED-Tunnel.

I use a direct cable from SG1 to SG2 (while preconfiguring).

I am able to reach the physical interface from SG2

But tunnel keeps yellow and Interface build using reds1 and redc1 don't pass traffic.

Log shows the ping - pong between interfaces:

2021:02:24-16:32:21 wstohlfw01-1 red_server[8647]: SELF: New connection from 10.10.10.2 with ID 082ac63b9280c9e (cipher AES256-GCM-SHA384), rev1<30>Feb 24 16:32:21 red_server[8647]: 082ac63b9280c9e: connected OK, pushing config
2021:02:24-16:32:21 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: command 'PING 0'
2021:02:24-16:32:21 wstohlfw01-1 red_server[8647]: id="4201" severity="info" sys="System" sub="RED" name="RED Tunnel Up" red_id="082ac63b9280c9e" forced="0"
2021:02:24-16:32:21 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: PING remote_tx=0 local_rx=0 diff=0
2021:02:24-16:32:21 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: PONG local_tx=0
2021:02:24-16:32:36 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: command 'PING 0'
2021:02:24-16:32:36 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: PING remote_tx=0 local_rx=0 diff=0
2021:02:24-16:32:36 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: PONG local_tx=0
2021:02:24-16:32:51 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: command 'PING 0'
2021:02:24-16:32:51 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: PING remote_tx=0 local_rx=0 diff=0
2021:02:24-16:32:51 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: PONG local_tx=0
2021:02:24-16:33:06 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: command 'PING 0'
2021:02:24-16:33:06 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: PING remote_tx=0 local_rx=0 diff=0
2021:02:24-16:33:06 wstohlfw01-1 red_server[8647]: 082ac63b9280c9e: PONG local_tx=0



This thread was automatically locked due to age.
Parents
  • You're right Dirk - there's no information in the Help or KnowledgeBase about this and this is the first time anyone has asked here about that being yellow.  Are you sure your Static Routes are set correctly and active?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi all,

    thanks for the answers.

    The RED-link is created using a direct cable (2m). Would be a radio-link later. (as build multiple times...)

    RED-Tunnel should be green without connected IP-interface too. So i need no routes.

    ... otherwise: yes, red Tunnel is def. GW for branch and i build static routes from headquarter to brunch for networks behind 2nd FW.

    Workaround: using Red-Server(legacy) and RED-Client(legacy) and it works immediately.
    Where are the differences?
    (call with sophos support are not helpful)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • Hi all,

    thanks for the answers.

    The RED-link is created using a direct cable (2m). Would be a radio-link later. (as build multiple times...)

    RED-Tunnel should be green without connected IP-interface too. So i need no routes.

    ... otherwise: yes, red Tunnel is def. GW for branch and i build static routes from headquarter to brunch for networks behind 2nd FW.

    Workaround: using Red-Server(legacy) and RED-Client(legacy) and it works immediately.
    Where are the differences?
    (call with sophos support are not helpful)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • Hello Dirk,

    We are also having problems with some of our S2S REDv2 tunnels. We have several connections between different UTMs at a customer and the support has investigated the problem almost since the release of the v2 tunnels for UTM, but so far without result. Most tunnels will work, but one will behave just like your tunnel (online but yellow exclamation point - the other side shows the green icon) and another is green on either side but no traffic through the tunnel. The only workaround is to use the legacy tunnels as you mentioned.

  • Dirk, I don't know how to make a RED tunnel between two UTMs without using static routes or Multipath rules.  How do you do that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • First you need the tunnel.

    Every partner within this tunnel has an RED Interface. That's Layer1-2. The Tunnel should be green now.

    Now you create the L3 interface at every side. The 2 Tunnel partners have an interface within this virtual "L2-connection".

    Now every SG should be able to ping the "other side"-RED-Tunnel-Interface.

    That's the point not working for me.

    Now the admin may create routes to point to networks "behind" the tunnel. But That#s not my problem.

    ...

    funny, the support engineer didn't understand this. Am I thinking wrong here?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.