Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Subscribers 3 subscribers
  • Views 10980 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 with AWS Site-to-Site VPC: Tunnels up, but no ping

Martin HIgnett

I've got an installation of Sophos UTM 9 connected to four AWS VPCs with Site-to-Site. I created Customer Gateways, Virtual Private Gateways and a Site-To-Site connection in each of the private VPCs. I then exported the configuration from AWS and imported into Sophos. So far so good - the tunnels are up. I've set the route tables to propagate routes and the route tables seem to be OK.

 

However, when I try to ping an EC2 in one of the private VPCs, I get 100% packet loss:

 

PING 10.93.1.4 (10.93.1.4) 56(84) bytes of data.

 

--- 10.93.1.4 ping statistics ---

5 packets transmitted, 0 received, 100% packet loss, time 4032ms

 

If I try traceroute, I get the following:

 

traceroute to 10.93.1.4 (10.93.1.4), 30 hops max, 40 byte packets using UDP

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

 

I set up a static route to the VPC, using the internal network card as the gateway, and I get the following response from traceroute:

 

1 10.93.1.4 (10.93.1.4) 2.209 ms 1.688 ms 1.850 ms

2 10.93.1.4 (10.93.1.4) 4.789 ms 4.688 ms 4.018 ms

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 10.93.1.4 (10.93.1.4) 9.051 ms 8.660 ms 8.439 ms

10 10.93.1.4 (10.93.1.4) 9.112 ms 8.900 ms *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 10.93.1.4 (10.93.1.4) 14.498 ms * *

17 10.93.1.4 (10.93.1.4) 15.581 ms * *

18 * * *

19 * * *

20 * * *

21 * * *

22 * * *

23 10.93.1.4 (10.93.1.4) 19.517 ms * *

 

This looks like I'm getting intermittent pings back.

 

What is going on? Am I on the right path with the static route?

 

Thanks for any help!



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Martin and welcome to the UTM Community!

    What do you learn from doing #1 in Rulz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I looked in the following logs for errors, and found either nothing or nothing that looked remotely like it was related:

     

    • SSL VPN
      2019:01:07-10:37:17 gw1-us-east-1 openvpn[4551]: TCP connection established with [AF_INET]154.47.32.66:64458 (via [AF_INET]10.91.1.66:443)
      2019:01:07-10:37:17 gw1-us-east-1 openvpn[4551]: 154.47.32.66:64458 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
      2019:01:07-10:37:17 gw1-us-east-1 openvpn[4551]: 154.47.32.66:64458 Connection reset, restarting [0]
      2019:01:07-10:37:17 gw1-us-east-1 openvpn[4551]: 154.47.32.66:64458 SIGUSR1[soft,connection-reset] received, client-instance restarting
      2019:01:07-12:13:17 gw1-us-east-1 openvpn[4551]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
      2019:01:07-12:13:17 gw1-us-east-1 openvpn[4551]: MANAGEMENT: CMD 'status -1'
      2019:01:07-12:13:27 gw1-us-east-1 openvpn[4551]: MANAGEMENT: Client disconnected
      2019:01:07-15:13:18 gw1-us-east-1 openvpn[4551]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
      2019:01:07-15:13:18 gw1-us-east-1 openvpn[4551]: MANAGEMENT: CMD 'status -1'
      2019:01:07-15:13:28 gw1-us-east-1 openvpn[4551]: MANAGEMENT: Client disconnected
    • kernel messages (Nothing)
    • Web Application Firewall (Nothing)
    • Web Filtering (Nothing)
    • IPSec VPC (Nothing)
    • Fallback messages -
      • Could this be relevant: "2019:01:07-16:59:04 gw1-us-east-1 [daemon:info] nwd[4112]: Waiting for MDW cycle to end"?
    • Firewall. A few messages, but they just look like people 'knocking on the door' - some random external IP trying various well known (but not Sophos) ports, e.g. 8088. These are getting dropped - the desired behaviour
    • Dynamic Routing - There are the following messages - a bit confusing because I can't tie up the 169.254.43.201 address with any tunnels or networks
      2019:01:07-02:34:44 gw1-us-east-1 bgpd[13212]: %NOTIFICATION: sent to neighbor 169.254.43.201 4/0 (Hold Timer Expired) 0 bytes
      2019:01:07-02:34:44 gw1-us-east-1 bgpd[13212]: Notification sent to neighbor 169.254.43.201: type 4/0
      2019:01:07-02:34:44 gw1-us-east-1 bgpd[13212]: %ADJCHANGE: neighbor 169.254.43.201 Down BGP Notification send
      2019:01:07-02:38:51 gw1-us-east-1 bgpd[13212]: %ADJCHANGE: neighbor 169.254.43.201 Up
       
      I am not sure which other logs to check.
       
       
      Thanks for your help,
       
      Martin
Reply
  • 0 in reply to BAlfson

    I looked in the following logs for errors, and found either nothing or nothing that looked remotely like it was related:

     

    • SSL VPN
      2019:01:07-10:37:17 gw1-us-east-1 openvpn[4551]: TCP connection established with [AF_INET]154.47.32.66:64458 (via [AF_INET]10.91.1.66:443)
      2019:01:07-10:37:17 gw1-us-east-1 openvpn[4551]: 154.47.32.66:64458 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
      2019:01:07-10:37:17 gw1-us-east-1 openvpn[4551]: 154.47.32.66:64458 Connection reset, restarting [0]
      2019:01:07-10:37:17 gw1-us-east-1 openvpn[4551]: 154.47.32.66:64458 SIGUSR1[soft,connection-reset] received, client-instance restarting
      2019:01:07-12:13:17 gw1-us-east-1 openvpn[4551]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
      2019:01:07-12:13:17 gw1-us-east-1 openvpn[4551]: MANAGEMENT: CMD 'status -1'
      2019:01:07-12:13:27 gw1-us-east-1 openvpn[4551]: MANAGEMENT: Client disconnected
      2019:01:07-15:13:18 gw1-us-east-1 openvpn[4551]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
      2019:01:07-15:13:18 gw1-us-east-1 openvpn[4551]: MANAGEMENT: CMD 'status -1'
      2019:01:07-15:13:28 gw1-us-east-1 openvpn[4551]: MANAGEMENT: Client disconnected
    • kernel messages (Nothing)
    • Web Application Firewall (Nothing)
    • Web Filtering (Nothing)
    • IPSec VPC (Nothing)
    • Fallback messages -
      • Could this be relevant: "2019:01:07-16:59:04 gw1-us-east-1 [daemon:info] nwd[4112]: Waiting for MDW cycle to end"?
    • Firewall. A few messages, but they just look like people 'knocking on the door' - some random external IP trying various well known (but not Sophos) ports, e.g. 8088. These are getting dropped - the desired behaviour
    • Dynamic Routing - There are the following messages - a bit confusing because I can't tie up the 169.254.43.201 address with any tunnels or networks
      2019:01:07-02:34:44 gw1-us-east-1 bgpd[13212]: %NOTIFICATION: sent to neighbor 169.254.43.201 4/0 (Hold Timer Expired) 0 bytes
      2019:01:07-02:34:44 gw1-us-east-1 bgpd[13212]: Notification sent to neighbor 169.254.43.201: type 4/0
      2019:01:07-02:34:44 gw1-us-east-1 bgpd[13212]: %ADJCHANGE: neighbor 169.254.43.201 Down BGP Notification send
      2019:01:07-02:38:51 gw1-us-east-1 bgpd[13212]: %ADJCHANGE: neighbor 169.254.43.201 Up
       
      I am not sure which other logs to check.
       
       
      Thanks for your help,
       
      Martin
Children
No Data
Unfiltered HTML