This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED between UTM - routing works, but UTM on both sides can't access the network

Hello guys,

 

I have a problem concerning a RED connection between two UTMs.

The connection is established and works finde. Routing as well.

 

The only problem is, the UTMs can't access the networks on the other side, PING isn't working either.

Devices within this networks are able to access the other networks.

 

Any ideas? I am a bit stuck at the moment and need it to work, because the UTM needs to access the ActiveDirectory Server at the other side of the tunnel which isn't working.

PING tests were made with the UTM tools.

 

Thanks in advance.

 



This thread was automatically locked due to age.
Parents
  • "The only problem is, the UTMs can't access the networks on the other side, PING isn't working either.

    Devices within this networks are able to access the other networks."

    Sorry, you lost me.  What can access what where?  What can't access what where?  What items are selected on the 'ICMP' tab of 'Firewall' on both sides?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    • Site 1 is a UTM with 10.30.0.0/23
    • Site 2 is XG with 10.20.0.0/23

    Devices within 10.20.0.0/23 can access everything within 10.30.0.0/23, except the XG.

    Devices within 10.30.0.0/23 can access everything within 10.20.0.0/23, except the UTM. The UTM should connect to the Domaincontroller with 10.20.0.10 for User authentication.

    The UTM gets a connection time out while testing the settings, as well as the UTM can't ping the server.

    Traceroute shows, that there is a hop the RED Interface IP of the UTM, but nothing further.

  • What selections have you made on the 'ICMP' tab of 'Firewall' in the UTM?  What about the corresponding ones in the XG?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Your RED interfaces have IP addresses, right? What are they? Incluse THOSE IP addresses in your firewall rules. Example:

    10.20.0.0/23 AND RED IP from UTM 1 -> Any -> 10.30.0.0/23 AND RED IP from UTM 2.

    And vice-versa.

    Regards,

    Giovani

  • The IPs are 10.20.0.1 and 10.30.0.1 and they are included in my rules...

    10.20.0.0/23 and 10.30.0.0/23

  • OK, I'm having a really hard time understanding your setup. Here is the article on how to configure Site-to-Site RED tunnels: https://community.sophos.com/kb/en-us/120157

    As showed in the article, RED interfaces have their own network on which they communicate and where you route traffic between the UTMs. I have dozens of setups like this and all of them have a separate network for RED communication. I don't see how your RED interfaces could have an IP from you internal network AND still route traffic to the other side, unless you are not using RED at all. So, to make things clear, please replace the diagram below with your current settings:

     

    UTM1 LAN Network/Subnet -> UTM 1 LAN IP -> UTM 1 RED IP -> UTM 2 RED IP -> UTM 2 LAN IP -> UTM 2 LAN Network/Subnet.

     

    Regards,

    Giovani

  • Your current settings don't allow for trace routes or pings to transit the UTM nor do they allow the UTM to respond to trace routes or pings.  The "Any" service is TCP and UDP only - none of the other IP protocols are included.  Specifically, ping and trace route are not included in the "Any" service.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Your current settings don't allow for trace routes or pings to transit the UTM nor do they allow the UTM to respond to trace routes or pings.  The "Any" service is TCP and UDP only - none of the other IP protocols are included.  Specifically, ping and trace route are not included in the "Any" service.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data