Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 2695 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot ping specific subnet Gateway on new LAN

Rui Jacome

Hello all,

We are in a migration process to a new LAN installed, on our building, moving from a Ubiquiti Unifi Network, to a  FULL HPE Aruba Network.

For now we would like the old equipments, to contact the new equipments on the NEW LAN, before we migrate our PABX, and servers to the new lan.


We have the connections as the diagram below shows.

From the network 192.168.16.x, we are able to ping the Port 5 on the Sophos with the ip 192.168.10.1, but we cannot reach the 192.168.10.254 core switch on the new LAN.

All the routings are created in the correct way:

XG125, knows that the IP 192.168.10.254 is behind port 5:

Even so, i cannot get to ping it, even from the firewall:

Zone configure for the port 5, is allowed with PING:

And port 5 is configured properly:

Firewall rules are allowing traffic between old and new lan

Firewall rule:

Can please some one help us? Could be a misconfiguration on the ARUBA (new lan side) ?

Thank you in advance!

Rui Jácome



This thread was automatically locked due to age.
Parents
  • 0

    Hello Rui,

    Thank you for contacting the Sophos Community.

    If your Core switch is a L3 device, make sure it has a route to send the traffic back to the XG.

    You can see if the XG is forwarding the packet out, to the LAN by doing a tcpdump

    tcpdump -eni Port5 host 192.168.16.X and proto ICMP

    If you see the Ping going out of the Interface Port5 it means the Aruba core switch is misconfigured. 

    Regards,

  • 0 in reply to emmosophos

    Hello,



    I'm getting this error:

    console> tcpdump -eni Port5 host 192.168.16.2 and proto ICMP
    % Error: Unknown Parameter 'Port5'
    console>

    Tks

    Rui

  • 0 in reply to emmosophos

    So, on the command:

    "tcpdump -eni Port5 host XXX.XXX.XX.XXX and proto ICMP" i should change the XXX by the ip i'm trying to reach behind port5, right?

    In this case it's ip 192.168.10.254, so it should be:

    " tcpdump -eni Port5 host 192.168.10.254 and proto ICMP" correct? And if so, i should see some traffic. Correct?

    If so, i will try it tomorrw, and give you the feedback by the evening (due to timezone differente from Portugal)

    Tks in advance!

    Rui

  • 0 in reply to Rui Jacome

    Hello Rui,

    Correct. 

    Regards,

  • 0 in reply to emmosophos

    Hello!

    Tried to use the tcpdump command:

    XG125_XN02_SFOS 18.0.1 MR-1-Build396# tcpdump -eni Port5 host 192.168.10.254 and
    proto ICMP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on Port5, link-type EN10MB (Ethernet), capture size 262144 bytes
    ^C
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel

    On my computer, on the old lan, i tried to ping the ip 192.168.10.254:

    C:\Users\rjacome>ping 192.168.10.254

    Pinging 192.168.10.254 with 32 bytes of data:
    Reply from 192.168.16.254: Destination host unreachable.
    Reply from 192.168.16.254: Destination host unreachable.
    Reply from 192.168.16.254: Destination host unreachable.
    Reply from 192.168.16.254: Destination host unreachable.

    Ping statistics for 192.168.10.254:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    IP 192.168.16.254 is the Sophos XG125

    But i can ping the ip of the port5

    C:\Users\rjacome>ping 192.168.10.1

    Pinging 192.168.10.1 with 32 bytes of data:
    Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.10.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.10.1: bytes=32 time<1ms TTL=64

    The packet trace on the XG GUI shows the following:

  • 0 in reply to Rui Jacome

    Hello Rui,

    Actually, can you remove the Static route that you have for 192.168.10.0, you don't need this one.

    Regards,

  • 0 in reply to emmosophos

    Hello!

    Still not working... 

  • 0 in reply to Rui Jacome

    Hello Rui,

    What about the output of XG125_XN02_SFOS 18.0.1 MR-1-Build396# tcpdump -eni Port5 host 192.168.10.254 and
    proto ICMP after you removed the Static Route?

    Regards,

  • 0 in reply to emmosophos

    Still tha same

    XG125_XN02_SFOS 18.0.1 MR-1-Build396# tcpdump -eni Port5 host 192.168.10.254 and proto ICMP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on Port5, link-type EN10MB (Ethernet), capture size 262144 bytes
    ^C
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel

  • 0 in reply to Rui Jacome

    Hello Rui,

    Can you run it like this and start a Ping

    #tcpdump -eni any host 192.168.10.254 and proto ICMP

    Make a note of the output and then run the below command and run the Ping again 

    #tcpdump -eni any host x.x.x.x and proto ICMP (x.x.x.x is the IP originating the Ping)

    Regards,

  • 0 in reply to emmosophos

    Hello!

    First output: Pinging 192.168.10.254

    XG125_XN02_SFOS 18.0.1 MR-1-Build396# tcpdump -eni any host 192.168.10.254 and proto ICMP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    00:50:24.710187 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 76: 192.168.16.88 > 192.168.10.254: ICMP echo request, id 1, seq 41404, length 40
    00:50:27.794049 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 76: 192.168.16.88 > 192.168.10.254: ICMP echo request, id 1, seq 41405, length 40
    00:50:30.855516 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 76: 192.168.16.88 > 192.168.10.254: ICMP echo request, id 1, seq 41406, length 40
    00:50:33.926508 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 76: 192.168.16.88 > 192.168.10.254: ICMP echo request, id 1, seq 41407, length 40
    ^C
    4 packets captured
    4 packets received by filter
    0 packets dropped by kernel

    Second output: Ping origin:

    XG125_XN02_SFOS 18.0.1 MR-1-Build396# tcpdump -eni any host 192.168.16.88 and proto ICMP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    00:56:01.600227 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 568: 192.168.16.88 > 192.168.1.253: ICMP 192.16 8.16.88 udp port 2055 unreachable, length 532
    00:56:01.600372 reds1, OUT: Out 00:2e:a8:b1:73:d0 ethertype IPv4 (0x0800), length 568: 192.168.16.88 > 192.168.1.253: ICMP 192.1 68.16.88 udp port 2055 unreachable, length 532
    00:56:11.153082 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 392: 192.168.16.88 > 192.168.1.253: ICMP 192.16 8.16.88 udp port 2055 unreachable, length 356
    00:56:11.153273 reds1, OUT: Out 00:2e:a8:b1:73:d0 ethertype IPv4 (0x0800), length 392: 192.168.16.88 > 192.168.1.253: ICMP 192.1 68.16.88 udp port 2055 unreachable, length 356
    00:56:11.597278 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 76: 192.168.16.88 > 192.168.10.254: ICMP echo r equest, id 1, seq 41408, length 40
    00:56:14.660439 Port1, OUT: Out 00:1a:8c:6d:68:f0 ethertype IPv4 (0x0800), length 104: 192.168.16.254 > 192.168.16.88: ICMP host 192.168.10.254 unreachable, length 68
    00:56:14.672841 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 76: 192.168.16.88 > 192.168.10.254: ICMP echo r equest, id 1, seq 41409, length 40
    00:56:17.732426 Port1, OUT: Out 00:1a:8c:6d:68:f0 ethertype IPv4 (0x0800), length 104: 192.168.16.254 > 192.168.16.88: ICMP host 192.168.10.254 unreachable, length 68
    00:56:17.742805 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 76: 192.168.16.88 > 192.168.10.254: ICMP echo r equest, id 1, seq 41410, length 40
    00:56:20.800441 Port1, OUT: Out 00:1a:8c:6d:68:f0 ethertype IPv4 (0x0800), length 104: 192.168.16.254 > 192.168.16.88: ICMP host 192.168.10.254 unreachable, length 68
    00:56:20.803924 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 76: 192.168.16.88 > 192.168.10.254: ICMP echo r equest, id 1, seq 41411, length 40
    00:56:23.872429 Port1, OUT: Out 00:1a:8c:6d:68:f0 ethertype IPv4 (0x0800), length 104: 192.168.16.254 > 192.168.16.88: ICMP host 192.168.10.254 unreachable, length 68
    00:56:25.206517 Port1, IN: In 88:51:fb:67:e4:b2 ethertype IPv4 (0x0800), length 332: 192.168.16.88 > 192.168.1.253: ICMP 192.16 8.16.88 udp port 2055 unreachable, length 296
    00:56:25.206606 reds1, OUT: Out 00:2e:a8:b1:73:d0 ethertype IPv4 (0x0800), length 332: 192.168.16.88 > 192.168.1.253: ICMP 192.1 68.16.88 udp port 2055 unreachable, length 296

  • 0 in reply to Rui Jacome

    Hello Rui,

    Thank you, I have sent you a PM.

    Regards,

Reply Children
No Data