This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Layer 3 switch and ipsec problem: connections denied and UNREPLIED from remote site but ping work

Hello,

i have this nasty problem and i don't know to bang my head anymore. I cannot reach a device on a remote site from HQ site and another remote site via IPSEC.

Topology:

Introduction: i have 4 XG in 4 location and a HUB-SPOKE IPSEC VPN setup between HQ and remote branch site.

On the HQ i have an XG210 connected via trunk to a hp layer 3 switch that does all the routing for the vlans in HQ site. On the XG i have a dedicated port (port5) to the switch and they are in a private subnet (10.0.200.0/28).

On the branch sites the XG's do all the intervlan routing themselves.

The problem is: from HQ site (Site01) and from 02 Site i cannot reach a biometric sensor (on a LAN on site 04) with his proprietary program. The strange thing is that i can ping the device and it seems that the routing and firewalls rules are correct.

If i use the packet capture on the XG210 (the hub) with the BPF string host 10.3.10.218 (that is the remote biometric sensor) get a lot of assured and unreplied state connection.

10.0.10.154 is my pc, 10.3.10.218 is the bio sensor.

The proprietary program tell me that it can ping the device but it cannot receive any data.

On the 04-xg appliance i get almost the same Assured and unreplied connections.

In the firewall log on the 01 site X210 sometimes i get invalid TCP denials as the firewall cannot identify the connection (like an asymmetric path). BTW since yesterday i didn't receive any error in firewall log anymore, i don't know what of the 1000 rules modification get these errors away...

Routing rules on the HQ:

on XG210 i have rules that point the layer 3 switch for his vlans:

on the switch i have the rules for intervlan routing and then everything that is not known was send back to XG210.

Firewall Rules:

On the HQ i have rules to allow traffic from and to any VPN network (routing between the remote sites so each site can reach in theory other sites, i've followed the Sophos KB with the NY,Dallas,Houston example). Then in have 2 rules for each remote site (in and out traffic) that allow communication with the HQ vlans from VPN sites.

On the branch site i have standard rules that allow everything from VPN interface (any network) to lan interfaces (any networks)

The system is up and running since a year.

In the HQ we have multiple services (exchange,webapp ecc) and this is the first time i have routing problem. Any hint or else to help me to identify the problem? Maybe is the layer 3 switch implementation that is wrong? This is a screenshot from the Network tab on the XG210 of the port that is connected to the switch.

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 7 years ago

Hi,

your diagram shows a VLAN terminating on the XG, but you do not appear to have a VLAN configured on the interface?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Federico Boldori over 7 years ago in reply to rfcat_vk

If you refer to the XG210 on the HQ site no, i haven't in the topology diagram.

I called VLAN888 the trunk becouse it's the name on the switch layer 3. I have another switch with a port connected to vlan888 and the port is untagged. the it goes into XG210 Port5.

Isn't enough to specify static route from XG to layer 3 switch for each vlan i have intervaln routing enabled on the layer 3 switch?

For reference this is the network diagram of the connection between XG and layer 3 switch and the swtich configuration for vlan888:

If you meant instead that i have not specified that on the remote sites i have vlan configured ,On the remote sites XGs i have vlans configured on each port. (for example: vlan10&20 on port1, 30&40 on port2 and so on, then i use the switch to connect vlans on the xg to the clients)
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to Federico Boldori

Hi,

thank you for the very detailed update. Please post the rule that allows the specific internal traffic and the service configuration.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Federico Boldori over 7 years ago in reply to rfcat_vk

First of the 01-XG210 rules i have one that allow traffic in/out from LAN/VPN to LAN/VPN on Port5 (the port i use to connect to the switch/xg trunk)

Then the specific fw rules for the remote sites 02 (where i have the client for the proprietary program to read biometric device) and 04 (where the biometric device is):
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Federico Boldori over 7 years ago in reply to rfcat_vk

First of the 01-XG210 rules i have one that allow traffic in/out from LAN/VPN to LAN/VPN on Port5 (the port i use to connect to the switch/xg trunk)

Then the specific fw rules for the remote sites 02 (where i have the client for the proprietary program to read biometric device) and 04 (where the biometric device is):
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rfcat_vk over 7 years ago in reply to Federico Boldori

Hi, thank you for the very detailed explanation. I am hoping one of the site specialists (FloSupport or Sachin) will review this thread and show you how to access the CLI structure to delve deeper into the issue. Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Federico Boldori over 7 years ago in reply to rfcat_vk

Hello,

i'm in contact with the seller of the biometric device anche the program that it used to connect.

This could be a software program and not XGs related... i would update the thread when i know more.
Cancel
Vote Up 0 Vote Down

Cancel