Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Subscribers 3 subscribers
  • Views 10941 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 with AWS Site-to-Site VPC: Tunnels up, but no ping

Martin HIgnett

I've got an installation of Sophos UTM 9 connected to four AWS VPCs with Site-to-Site. I created Customer Gateways, Virtual Private Gateways and a Site-To-Site connection in each of the private VPCs. I then exported the configuration from AWS and imported into Sophos. So far so good - the tunnels are up. I've set the route tables to propagate routes and the route tables seem to be OK.

 

However, when I try to ping an EC2 in one of the private VPCs, I get 100% packet loss:

 

PING 10.93.1.4 (10.93.1.4) 56(84) bytes of data.

 

--- 10.93.1.4 ping statistics ---

5 packets transmitted, 0 received, 100% packet loss, time 4032ms

 

If I try traceroute, I get the following:

 

traceroute to 10.93.1.4 (10.93.1.4), 30 hops max, 40 byte packets using UDP

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

 

I set up a static route to the VPC, using the internal network card as the gateway, and I get the following response from traceroute:

 

1 10.93.1.4 (10.93.1.4) 2.209 ms 1.688 ms 1.850 ms

2 10.93.1.4 (10.93.1.4) 4.789 ms 4.688 ms 4.018 ms

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 10.93.1.4 (10.93.1.4) 9.051 ms 8.660 ms 8.439 ms

10 10.93.1.4 (10.93.1.4) 9.112 ms 8.900 ms *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 10.93.1.4 (10.93.1.4) 14.498 ms * *

17 10.93.1.4 (10.93.1.4) 15.581 ms * *

18 * * *

19 * * *

20 * * *

21 * * *

22 * * *

23 10.93.1.4 (10.93.1.4) 19.517 ms * *

 

This looks like I'm getting intermittent pings back.

 

What is going on? Am I on the right path with the static route?

 

Thanks for any help!



This thread was automatically locked due to age.
Parents
  • 0

    Are you trying these pings & traceroutes from a desktop on the UTM LAN or directly from the UTM Webadmin via diagnostic tools?  Also, do you have a MASQ rule or an SNAT rule to source the traffic from your LAN?  

     

    Tim

  • 0 in reply to TimHansen

    I've tried pinging from the Webadmin diagnostics tools to a test EC2, and also from the test EC2 to the internal IPs of the Sophos EC2.

     

    I have MASQ rules set up to allow traffic from the internal networks to the internet and a NAT rule that forwards RADIUS traffic to our single sign on service provider (onelogin).

     

    Thanks for your help!

     

    Martin

  • +1 in reply to Martin HIgnett

    Martin, when the UTM initiates traffic, it will use the inside tunnel interface IP address as the source IP.  This of course is a 169.x.x.x address, which your VPC or Subnet's route table on AWS likely does not have an entry for and thus the traffic, icmp in your case, will not return to the UTM. 

    Create a SNAT rule that says Any source, using any service, going to the VPC subnet, change the source IP address to the green internal interface address object for your LAN network.  This will source the traffic from a network which AWS has a route to.  You can leave automatic firewall rules disabled for this rule if you control access to/from the VPC through user created firewall rules.  Then try to ping from the UTM.  

    This however wouldn't account for why you wouldn't be able to ping from an EC2 instance to the UTM's interface IP address, but 1 thing at a time.  

    Tim

  • 0 in reply to TimHansen

    Oh and get rid of that static route, it shouldn't be required for this configuration.  The issue can be resolved without it.  

Reply Children
No Data
Unfiltered HTML