This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-site VPN configurations for Amazon VPC -- Unreachable inside UTM

Hi guys,

I have appliance Sophos UTM SG135 v9.

I have followed this knowledge base guide  - Site-to-site VPN configurations for Amazon VPC at https://community.sophos.com/kb/en-us/120922 which works great and straightforward. Behind on the UTM network, I can ping all EC2 instances and telnet successfully for running port services.

However, inside of my Sophos UTM, pinging and telneting were unsuccessful. It seems the UTM has a route issue going to AWS VPN.

utm:/root # ip route get 172.18.2.225
172.18.2.225 via 169.xxx.xxx.85 dev vpc0.0 src 169.xxx.xxx.86
cache

utm:/root # ping 172.18.2.225
PING 172.18.2.225 (172.18.2.225) 56(84) bytes of data.
^C
--- 172.18.2.225 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21160ms

utm:/root # ping -I vpc0.0 172.18.2.225
PING 172.18.2.225 (172.18.2.225) from 169.xxx.xxx.86 vpc0.0: 56(84) bytes of data.
^C
--- 172.18.2.225 ping statistics ---
57 packets transmitted, 0 received, 100% packet loss, time 56389ms


utm:/root # ping -s 10.0.16.1 172.18.2.225 -c 2
PING 172.18.2.225 (172.18.2.225) 10(38) bytes of data.

--- 172.18.2.225 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms


utm:/root # traceroute 172.18.2.225
traceroute to 172.18.2.225 (172.18.2.225), 30 hops max, 40 byte packets using UDP
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *


 

 

Also, I've opened firewall for the two AWS tunnels (Outside IP Addresses) with "ANY"  and still no luck. Also, opened to 0.0.0.0/0 allow on AWS VPC Network ACL.

 

Any advise of what I am missing is deeply appreciated. Thanks!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember over 1 year ago

    Hi  

    Thank you for reaching out to the Community! 

    Do you have ping settings configured to allow ping from the gateway under firewall> ICMP > Ping Settings? 

    If it is already allowed, check packetfilter.log file for this traffic and provide the logs. 

    Thanks,

  • Hi FormerMember 

    Thanks for your reply. This has been resolved now.

    You just need to specify network interface ip address and should good to go.

    ping -I <utm's ip address> 172.18.2.225