Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 4614 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't access Synology server once Sophos XG Firewall is connected to Cisco switch

Chevyavalanche

As I've worked through some (not all) setup issues, one that continues to stump me is the fact that when my NAS is connected to switch along with all other LAN devices and incoming internet from router, life is good. I can access my NAS no problem.

The minute I connect my router to Sophos XG V19 WAN (through bridge interface and one LAN port is connected to an open port on switch), I can connect to other LAN devices with exception being my NAS server. I can't ping the IP address either. Something is blocking access but I'm just not sure what it could be.

I also connected NAS directly to the Sophos XG device and that didn't make a difference. I've tried a couple of firewall rules and that didn't solve the issue. This same phenomenon happened on another firewall device with exception being I could connect NAS directly to the firewall device and access it but when I connected the NAS to my switch (my preferred connection method), I couldn't access or ping it.

So there has to be some setting within the NAS that is being blocked by XG that is unique from a PC, tablet or smart phone. I've scoured the internet and haven't found a solution.

ISP-->Router-->switch-->LAN devices (current state where NAS is accessible)

ISP-->Router-->Sophos XG-->switch-->LAN devices (future state where NAS is not accessible)

Also keep in mind, I'm learning as I go with Sophos XG so I may not completely understand suggested fixes so please bear with me.

Any help is definitely appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    The only scenario I can see giving you this problem is if the NAS IP is duplicated on the XG somewhere. We've used a Synology NAS with Cisco switches and I can't think of anything that is special about the network interface on the NAS, Have you looked at the ARP table on the switch in each scenario ("show ip arp" from command line)?

  • 0 in reply to JasP

    Hey JasP,

    Thanks for the reply.

    As I've looked at the Cisco config, NAS config and XG config, nothing jumps out at me. I don't see any duplication of IPs. I don't know CLI console commands so a bit hesitant to try that. All 3 have static IPs.

    I get this message: ERR_CONNECTION_TIMED_OUT

    Multiple scanners see it and it shows up in router as attached. 

    Just scratching my head on this one.

  • 0 in reply to Chevyavalanche
    Chevyavalanche said:
    By the way, how do you stop it without quitting the console? I tried ESC key, CTRL-ESC?

    CTRL + c  and logs are not enough to investigate try again with SSH access 

    Please share the packet flow from GUI as well MONITOR & ANALYZE-->Diagnostics-->Packet Capture, click on Configure Enter BPF string host 172.16.0.3 and proto ICMP.  ?

    Regards

  • 0 in reply to Bharat J

    I have over 200 pages and growing of this: MONITOR & ANALYZE-->Diagnostics-->Packet Capture, click on Configure Enter BPF string host 172.16.0.3 and proto ICMP. Keep going or stop and how do I share?

    Putty just gives me same error over and over again...but how do you enter this info?

    The 10.5.5.1 and Default RSA? I've tried to enter that info but can't seem to figure it out.

     

  • 0 in reply to Chevyavalanche
    Chevyavalanche said:
    Keep going or stop and how do I share?

    install  snipping tool and share the snapshot for the packet flow you are able to see to stop the packet click on off 

    To get CLI access follow the below link you have to enter Sophos IP 

    https://support.sophos.com/support/s/article/KB-000038697?language=en_US 

    Regards

  • 0 in reply to Bharat J

    That's link I've already tried and continue to get the above error. I asked you how to add this:

    How do you add the 10.5.5.1 and Default RSA? I can't add that in the box.

    Here's a snippet from the packet capture.

  • 0 in reply to Chevyavalanche

    I have re-read your original post and still believe that something is happening on the switch.

    Everything works fine without the XG.

    When you have the XG attached, can you confirm that everything works as expected except you can no longer access the NAS? Internet access from your workstations is fine?

    When you say you can no longer access the NAS, does that include from the workstations?

    Can you confirm you are using a single subnet for all your LAN equipment and no VLANs?

    Can you confirm you are making a single connection from the switch to the XG?

    Have you had a look at the error logs on the switch?

  • 0 in reply to JasP

    Hi JasP

    Everything works fine without XG---YES

    XG Attached--Can no longer access NAS as well as a ReadyShare drive connected to R8000. Internet access from stations like the one I'm typing on is fine.

    Access NAS/does that include workstations--YES, I can no longer access the NAS from this workstation I'm typing on.

    Single Subnet for all LAN equipment...NO VLANs

    YES, there is only one connection from XG to Switch

    Switch error logs:  gi12 is the port where XG connects to switch. This is very strange as I read this. In all honesty, this is first time I've looked at this RAM log. what exactly does it mean when gi12 is 'Forwarding'? What's even more puzzling is why the port is up and then down. Guess I could try another port but I've already done that before (still no NAS connection) but I didn't look at the logs when I did that.

  • 0 in reply to Chevyavalanche

    In all honesty, I never thought I would have so many problems like this and am certainly no expert when it comes to configuring a firewall of this complexity. I just appreciate everyone's help on this.

  • 0 in reply to Chevyavalanche

    Please go to System -->Administration -->Licensing and share the snapshot of the license status 

    Regards

  • 0 in reply to Chevyavalanche

    I also continue to get this when trying to update my network...it's a miracle I got it to save in the first place.

    Item 1 doesn't make sense when I'm actually connected to the device so I don't know what is going with this but it concerns me.

    Could this be a registration issue?

Reply Children
No Data