Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 3981 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Core RED Server - UTM can't connect (only for 10 Seconds) and than got Uplink IP 10.254.254.254

Christopher Kröncke

Hey folks,

 

we got a Problem with our XG and some UTMs in combination with RED tunnel. We designed a star-topology for all our managed devices (as MSP) with RED tunnel. 

Lets Say:

Headoffice with (today) 23 Red Tunnel

23 Branch offices, or Branch Firewalls (UTM and XG Mixed) 

We connect from our work via vpn to the headoffice XG on firmware 17.1.2-MR2. From there, we can reach each correctly connect RED device via a firewall rule. This is working pretty good! All XG firewalls are available and stable. The UTM ones loses the connection after like 30 seconds and tries to reconnect, but it only come online with the Uplink IP: 10.254.254.254 (ALL utms got a dedicated internet connection without any other routing between).

Maybe it should be in the UTM forum, sorry about that.

 

 

Logs of UTM (looping):

2018:09:05-12:17:51 suk-MASKED-fw1-1 red_client[8668]: Tunnel 16: Forking client handler
2018:09:05-12:18:38 suk-MASKED-fw1-1 red_client[6621]: CHILD Tunnel 16: performing initial keying.
2018:09:05-12:18:38 suk-MASKED-fw1-1 redctl[6691]: key length: 32
2018:09:05-12:18:38 suk-MASKED-fw1-1 redctl[6692]: key length: 32
2018:09:05-12:18:38 suk-MASKED-fw1-1 redctl[6694]: 80.MAS.KED.145 =
2018:09:05-12:18:38 suk-MASKED-fw1-1 redctl[6694]: 80.MAS.KED.145
2018:09:05-12:19:47 suk-MASKED-fw1-1 red_client[6621]: CHILD Tunnel 16: Socket was closed
2018:09:05-12:19:47 suk-MASKED-fw1-1 red_client[6621]: CHILD Tunnel 16: Unable to read PING response
2018:09:05-12:19:47 suk-MASKED-fw1-1 red_client[6621]: Tunnel 16: disconnected
2018:09:05-12:19:51 suk-MASKED-fw1-1 red_client[8668]: Tunnel 16: Forking client handler
2018:09:05-12:20:37 suk-MASKED-fw1-1 red_client[6793]: CHILD Tunnel 16: performing initial keying.
2018:09:05-12:20:37 suk-MASKED-fw1-1 redctl[7054]: key length: 32
2018:09:05-12:20:37 suk-MASKED-fw1-1 redctl[7055]: key length: 32
2018:09:05-12:20:37 suk-MASKED-fw1-1 redctl[7057]: 80.MAS.KED.145 =
2018:09:05-12:20:37 suk-MASKED-fw1-1 redctl[7057]: 80.MAS.KED.145

Firmware version on each UTM: 9.510-5

 

It worked great but suddenly it changed and we don't know why. 

XG Tunnel: Firewall RED Server Legacy

UTM Tunnel: normal Client

CAUTION: its not about routing issues! its about the RED Tunnel Connection from all Branch office UTMS -> one Head office XG.

 

 

Can anyone explain or got an information about this? 

 

Thanks in advance, 

Chris



This thread was automatically locked due to age.
  • 0

    Hi Christopher, 

    Show us the configurations done for the RED on both sides. Is the external IP of the RED the expected IP?

    Please DM me, red.log, csc.log and system.log and RED_ID for an affected tunnel. 

    You can check how many disconnection the RED had by executing the following command:

    grep -i <RED-ID> /log/red.log | grep -i "disconnect

    Check the timestamps of the disconnects and then verify if there was a ISP Reconnect or Router issue in relation.

    Thanks,

  • 0 in reply to sachingurung

    Hey Sachingurung,

     

    the External IP is not the expected IP. It should be a normal public ipv4 address. 

    I'll dm you the logs in a second. 

     

    The disconnects had nothing to do with an ISP reconnect or Router Issues (Sophos Firewalls are directly connected through a Modem, which work fine).

     

    Thanks in advance.

     

    Edit: unfortunately i can't find any system.log in /log directory. Can you specify? Do you mean the Diagnostitcs logs für Sophos technical support?

  • 0 in reply to Christopher Kröncke

    I would also like to see the red.log from one of the affected UTM device and another log file from the XG device. I will try to verify the information on both the ends.

    Is it possible to share remote support access ID for an affected UTM and the XG. I need to check the configurations on both ends. Alongside, is there a DHCP server that serve an IP on the RED interface for the RED tunnel, reason why the IP on the RED interface is not the expected IP address.

    The method for an XG Firewall to Sophos UTM tunnel is similar as mentioned in the KBA here, but you must select Firewall RED Client Legacy or Firewall RED Server Legacy when creating the interfaces on the XG. Can you also verify this settings on priority and update me.

    Thanks

    P.S. system.log will be found in the Sophos UTM /var/log directory, I think you checked it in the XG firewall.