I have a UTM 9 SG210 model and since the latest updates seems that the static allocation of IP's became a real pain, because the UTM gives the same IP to other clients also.
I opened a support case but they did'n find any issue on my configuration, also i send to them the log on clients.
The first issue came with the IP 10.2.2.1 which wasn't allocated to none of the static clients and still was offered to ipsec clients which had another IP allocated.
Recently, after i made a static allocation of the ip 10.2.2.1 i find out that now the UTM gives the IP 10.2.2.6 which is also reserved, to other clients also. Also on that IP class i don't have any DHCP it's only a simple pool.
Does anyone had this issue?
Thank you in advance.
Hi Gabriel Georgescu
If your static assignment IPs are included in the DHCP scope as well, it will cause a conflict. Would you please be specific about what are the static assignments and what is your DHCP scope configured?
It worked few years in this config without any problems.
Salut Gabriel and welcome to the UTM Community!
That won't work. Since 10.2.2.7 is in the 10.2.2.0/25 subnet, the IPsec server will assign it to clients not assigned a static IP. The IPsec server doesn't see "reservations" as occurs in Windows Server DHCP.
Cheers - Bob
Thank you very much for response. How can be explained that, this configuration worked without any issues many years before, and why the Sophos support told me that they cant find any issue in my configuration?
Also, what do you sugest? I should change the range using mask? Because i don't wanna use dinamic adresses, only static, it is possible not to define any pool?
It sounds like you don't have that many Remote Access users, so I would try expanding "VPN Pool (IPsec)" to .0/24 and then assign fixed IPs in .128/25. Odds are that that would not cause any conflicts. If that "trick" doesn't work, you'll need to craft manual Firewall rules instead of using automatic. Let us know.
Entire 10.2.2 network is split in many subnets because i have also RED15 devices. So the actual split is:
If i understand well i should decrease 10.2.2.0/25 for pool allocation and the rest should remain the actual static VPN clients?
I made the changes as you suggested and now i'm hopping for the best. Also I had to create a new masquerade rule for the stations that need outside access on protocols other than web browsing.
Thank you for your help, if in two weeks i will not experience the issue again i will suggest the post as an answer.