Can't access Synology server once Sophos XG Firewall is connected to Cisco switch

The only scenario I can see giving you this problem is if the NAS IP is duplicated on the XG somewhere. We've used a Synology NAS with Cisco switches and I can't think of anything that is special about the network interface on the NAS, Have you looked at the ARP table on the switch in each scenario ("show ip arp" from command line)?

Hey JasP,

Thanks for the reply.

As I've looked at the Cisco config, NAS config and XG config, nothing jumps out at me. I don't see any duplication of IPs. I don't know CLI console commands so a bit hesitant to try that. All 3 have static IPs.

I get this message: ERR_CONNECTION_TIMED_OUT

Multiple scanners see it and it shows up in router as attached. 

Just scratching my head on this one.

Hi Chevyavalanche 

May I know the switch is L2 or L3 mode ? As you are already connecting NAS directly with Sophos XG it works means configuration might be missing at your switch level when you are placing the switch.

You can also check whether traffic is hitting Sophos XG with and without placing switch.

console>tcpdump 'host <destination IP address> and proto ICMP 

console>dr 'host <destination IP address> and proto ICMP 

If you are not getting any hits means again you have to look into switch configuration 

Thanks and Regards

Hi Bharat, 

Thanks for the reply.

I have a Cisco SG200-26 L2 switch. Connecting NAS directly to Sophos XG does not work either but I can check that again. I will try and do the console commands as best as I can.

If I have a switch issue, how is it possible that everything works without Sophos XG? I would suspect that I would have some of the same problems I'm having now with Sophos XG but everything works without Sophos XG.

When we had some Cisco Small Business switches, I hated them. I think they were the series before these. You had to set the port 'type' through the GUI and we found that even when selecting the correct type (e.g. router), the switch wouldn't connect. You had to try other types to get it to work. Not sure if your Cisco is the same but if it is, it may be worth experimenting changing the port type of the NAS and/or XG to see if you can get it to work. Better still would be to get your hands on a 'dumb' switch and hooking up the NAS, XG and a workstation and see if they can see each other. At least that way you can confirm if the switch is the cause of your problems.

Not sure how you will get on with console access. Don't think there was any with the switches we had. I've done a quick search and apparently the SG200 doesn't have any CLI interface. These Small Business switches aren't what I would describe as 'proper' Cisco switches. I can't remember the name of the company, but Cisco bought a budget switch manufacturer and they have a separate division that makes these Small Business switches. They have nothing in common with the Cisco enterprise switches. People buy then because they have the Cisco name on them but you would be better off getting a Netgear or D-Link switch. They may not be as good as enterprise Cisco switches but they are a lot better than the Small Business switches.

Hi Chevyavalanche 

Please share the current configuration status on the Sophos XG firewall to check again NAS is working with Sophos XG connected directly without switch. 

Please login to Sophos Go to CONFIGURE-->Network -->Interface and share the snapshot for the configuration done till now, also go to System -->Administration -->Device access  and share the firewall rule currently configured 

What is the status of tcpdump ?

Regards

As far as tcpdump host, I keep getting %error: Unknown parameter 172.16.x.x (leaving out the last 2 expressions for the IP). Not a console command expert.

I didn't see an area for a firewall rule under administration-->Device access so I provide the ACL as maybe that is what you wanted.

Hi Chevyavalanche 

Click on R8000 Bridge LAN interface it will Expand the bridge pair and share the snapshot for the setting applied 

To check firewall rules, Please go to PROTECT-->Rules and policies and share the firewall rule created, LAN-LAN firewall is required.

Also, share the logs to assist you from SSH 

console>tcpdump 'host 172.16.0.3 and proto ICMP and initiate the ping from PC or NAS

 console>dr 'host 172.16.0.3 and proto ICMP

Regards

Hi Chevyavalanche 

Click on R8000 Bridge LAN interface it will Expand the bridge pair and share the snapshot for the setting applied 

To check firewall rules, Please go to PROTECT-->Rules and policies and share the firewall rule created, LAN-LAN firewall is required.

Also, share the logs to assist you from SSH 

console>tcpdump 'host 172.16.0.3 and proto ICMP and initiate the ping from PC or NAS

 console>dr 'host 172.16.0.3 and proto ICMP

Regards

As far as the logs, I can't get them to work. I just get a spinning wheel and it shows Status: session expired which I know isn't true as I'm using XG to take these shots.

I'll keep trying the tcpdump commands

Hi Chevyavalanche  

Please go to PROTECT-->Rules and Policies and add firewall rule as below : 

Yes, I had a rule like this a couple of days ago and it didn't fix my issue. It also caused my VPN router to lose connection (which is connected to a LAN port on XG).

Hi Chevyavalanche  

 Login to SSH with device console as per the link .

Sophos XG and execute the below command and initiate ping from NAS 

console>tcpdump 'host 172.16.0.3 and proto ICMP 

 console>dr 'host 172.16.0.3 and proto ICMP

Also, check MONITOR & ANALYZE-->Diagnostics-->Packet Capture, click on Configure Enter BPF string host 172.16.0.3 and proto ICMP hit Save and turn on packet capture and share the status of packet flow
Make sure to make a continuous ping to the destination IP 

Regards

I did the console>tcpdump 'host 172.16.0.3 and proto ICMP and the MONITOR & ANALYZE-->Diagnostics-->Packet Capture, click on Configure Enter BPF string host 172.16.0.3 and proto ICMP. The tcpdump continues to run. What or how do I provide you with info?

Hi Chevyavalanche  From GUI packet flow take snapshot and share use GreenShot or snipping tool and logs you got from putty select the logs and copy and paste it here

Regards

Putty just gave me this error:

I was doing the commands in the console from Sophos XG. 

I don't do this kind of stuff everyday so you need to be very specific on how to do things. My setup before Sophos XG has been stable and running for years with little to no issues. I accessed everything easily. As soon as I add this firewall, all heck breaks loose. I am thankful you are taking the time to help a neophyte like me.

The script from XG console is still running. do you want a snapshot of that? By the way, how do you stop it without quitting the console? I tried ESC key, CTRL-ESC?

Here's a snippet from the XG console:

172.16.1.24 is the NAS.

Chevyavalanche said:

By the way, how do you stop it without quitting the console? I tried ESC key, CTRL-ESC?

CTRL + c  and logs are not enough to investigate try again with SSH access 

Please share the packet flow from GUI as well MONITOR & ANALYZE-->Diagnostics-->Packet Capture, click on Configure Enter BPF string host 172.16.0.3 and proto ICMP.  ?

Regards

I have over 200 pages and growing of this: MONITOR & ANALYZE-->Diagnostics-->Packet Capture, click on Configure Enter BPF string host 172.16.0.3 and proto ICMP. Keep going or stop and how do I share?

Putty just gives me same error over and over again...but how do you enter this info?

The 10.5.5.1 and Default RSA? I've tried to enter that info but can't seem to figure it out.

Chevyavalanche said:

Keep going or stop and how do I share?

install  snipping tool and share the snapshot for the packet flow you are able to see to stop the packet click on off 

To get CLI access follow the below link you have to enter Sophos IP 

https://support.sophos.com/support/s/article/KB-000038697?language=en_US 

Regards