Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 2697 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot ping specific subnet Gateway on new LAN

Rui Jacome

Hello all,

We are in a migration process to a new LAN installed, on our building, moving from a Ubiquiti Unifi Network, to a  FULL HPE Aruba Network.

For now we would like the old equipments, to contact the new equipments on the NEW LAN, before we migrate our PABX, and servers to the new lan.


We have the connections as the diagram below shows.

From the network 192.168.16.x, we are able to ping the Port 5 on the Sophos with the ip 192.168.10.1, but we cannot reach the 192.168.10.254 core switch on the new LAN.

All the routings are created in the correct way:

XG125, knows that the IP 192.168.10.254 is behind port 5:

Even so, i cannot get to ping it, even from the firewall:

Zone configure for the port 5, is allowed with PING:

And port 5 is configured properly:

Firewall rules are allowing traffic between old and new lan

Firewall rule:

Can please some one help us? Could be a misconfiguration on the ARUBA (new lan side) ?

Thank you in advance!

Rui Jácome



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to emmosophos

    Ups.. My misstyping... What should i see on normal conditions ? what should be the correct output? Any example ? Sorry for all the effort answering me..

  • 0 in reply to Rui Jacome

    Hello Rui,

    For example, when it is not working but you are seeing the XG sending the packets out the correct interface you would see this (of course IPs are different on my Lab)

    XG125_XN03_SFOS 18.0.4 MR-4# tcpdump -eni Port3 host 172.16.15.100 and proto ICMP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on Port3, link-type EN10MB (Ethernet), capture size 262144 bytes
    16:12:26.584305 Port3, OUT: 7c:5a:1c:79:37:99 > 7c:5a:1c:79:b5:fc, ethertype IPv4 (0x0800), length 74: 172.16.15.100 > 192.168.15.100: ICMP echo request, id 1, seq 93, length 40

    You will not see a reply.

    When it works properly you should see the following:

    XG125_XN03_SFOS 18.0.4 MR-4# tcpdump -eni Port3 host 172.16.15.100 and proto ICMP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on Port3, link-type EN10MB (Ethernet), capture size 262144 bytes
    16:20:29.509072 Port3, OUT: 7c:5a:1c:79:37:99 > 7c:5a:1c:79:b5:fc, ethertype IPv4 (0x0800), length 74: 172.16.15.100 > 192.168.15.10: ICMP echo request, id 1, seq 117, length 40
    16:20:29.509840 Port3, IN: 7c:5a:1c:79:b5:fc > 7c:5a:1c:79:37:99, ethertype IPv4 (0x0800), length 74: 192.168.15.10 > 172.16.15.100: ICMP echo reply, id 1, seq 117, length 40
    16:20:30.521917 Port3, OUT: 7c:5a:1c:79:37:99 > 7c:5a:1c:79:b5:fc, ethertype IPv4 (0x0800), length 74: 172.16.15.100 > 192.168.15.10: ICMP echo request, id 1, seq 118, length 40
    16:20:30.522791 Port3, IN: 7c:5a:1c:79:b5:fc > 7c:5a:1c:79:37:99, ethertype IPv4 (0x0800), length 74: 192.168.15.10 > 172.16.15.100: ICMP echo reply, id 1, seq 118, length 40

    Basically the Request and replies. 

    If you see in the XG the Requests leaving the interface, it means the issue might be with the downstream device.

    Regards,

  • 0 in reply to emmosophos

    So, on the command:

    "tcpdump -eni Port5 host XXX.XXX.XX.XXX and proto ICMP" i should change the XXX by the ip i'm trying to reach behind port5, right?

    In this case it's ip 192.168.10.254, so it should be:

    " tcpdump -eni Port5 host 192.168.10.254 and proto ICMP" correct? And if so, i should see some traffic. Correct?

    If so, i will try it tomorrw, and give you the feedback by the evening (due to timezone differente from Portugal)

    Tks in advance!

    Rui

  • 0 in reply to Rui Jacome

    Hello Rui,

    Correct. 

    Regards,

  • 0 in reply to emmosophos

    Hello!

    Tried to use the tcpdump command:

    XG125_XN02_SFOS 18.0.1 MR-1-Build396# tcpdump -eni Port5 host 192.168.10.254 and
    proto ICMP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on Port5, link-type EN10MB (Ethernet), capture size 262144 bytes
    ^C
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel

    On my computer, on the old lan, i tried to ping the ip 192.168.10.254:

    C:\Users\rjacome>ping 192.168.10.254

    Pinging 192.168.10.254 with 32 bytes of data:
    Reply from 192.168.16.254: Destination host unreachable.
    Reply from 192.168.16.254: Destination host unreachable.
    Reply from 192.168.16.254: Destination host unreachable.
    Reply from 192.168.16.254: Destination host unreachable.

    Ping statistics for 192.168.10.254:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    IP 192.168.16.254 is the Sophos XG125

    But i can ping the ip of the port5

    C:\Users\rjacome>ping 192.168.10.1

    Pinging 192.168.10.1 with 32 bytes of data:
    Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.10.1: bytes=32 time<1ms TTL=64

    The packet trace on the XG GUI shows the following:

  • 0 in reply to Rui Jacome

    Hello Rui,

    Actually, can you remove the Static route that you have for 192.168.10.0, you don't need this one.

    Regards,

  • 0 in reply to emmosophos

    Hello!

    Still not working... 

  • 0 in reply to Rui Jacome

    Hello Rui,

    What about the output of XG125_XN02_SFOS 18.0.1 MR-1-Build396# tcpdump -eni Port5 host 192.168.10.254 and
    proto ICMP after you removed the Static Route?

    Regards,

  • 0 in reply to emmosophos

    Still tha same

    XG125_XN02_SFOS 18.0.1 MR-1-Build396# tcpdump -eni Port5 host 192.168.10.254 and proto ICMP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on Port5, link-type EN10MB (Ethernet), capture size 262144 bytes
    ^C
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel

  • 0 in reply to Rui Jacome

    Hello Rui,

    Can you run it like this and start a Ping

    #tcpdump -eni any host 192.168.10.254 and proto ICMP

    Make a note of the output and then run the below command and run the Ping again 

    #tcpdump -eni any host x.x.x.x and proto ICMP (x.x.x.x is the IP originating the Ping)

    Regards,