Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 640 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Auxiliary not reachable on peer Management IP due to missing route

Samuel Heinrich

SFOS 18.5.2

We've noticed that the peer mgmt IP is not reachable from certain subnets, if the traffic is routed via l3 switch.

investigation showed, that the auxiliary appliance did not sync all routes from the primary, thus it's not reachable from those subnets.

reload auxiliary did not sync the missing routes.

any ideas?

Below the outputs from the cli

10.2.x.x is synced

10.1.x.x is missing



This thread was automatically locked due to age.
  • 0

    Please open a Support Case for this behavior. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes it is. It uses the physical MAC of the interface to be accessible. You should consider to create a Peer Admin IP in each and every Interface, you want to connect. Most likely a access "over" the primary is not possible (So you coming from Port1 and want to access the Port2 of the second appliance). Instead you should create a Peer Admin IP of Port2 and directly access it.

    JCPenneyKiosk

  • 0 in reply to Joe Phillips

    Thank you for your comment!

    I've noticed that as well, that it is not possible to route over the primary, since the auxiliary uses it's own routing table to response, but its only two IP interfaces are "peer admin" and "HA Link". 

    Peer Admin IP is assigned to Lag0, which is directly connected to the transport network where the coreswitch is attached. that should work as traffic is comming from lag0 and is going back to lag0, and no primary is involved.

    It actually works for traffic comming from 10.1.x.x but not for traffic from 10.2.x.x due to the missing route.

    It would make much more sense if sophos would put the mgmt interfaces in separate VRFs, with their own routing table..  or at least have a working HA with full replication.     so many troubles with HA,. puuh

  • 0 in reply to Samuel Heinrich

    update:

    fun fact, i I create two /17 instead of a /16, it does replicate the routes. 

  • 0 in reply to Samuel Heinrich

    I still believe this is a technical issue, not a expected behavior. 

    __________________________________________________________________________________________________________________

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?