Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 449 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing Problem on XG19.0.0

Leonardo Avesani

I have a problem where I am unable to ping google and it somehow seems as the firewall is missing a route back to my client. My client is inside a VLAN (172.16.87.99) and from the traffic below I can see that it correctly routes to the gateway address on port2 192.168.1.2 and that google responsd to this ip on port2. But now it is not routing back to port 8 and my VLAN. Has anybody any clue why? What am I missing?

tcpdump output:

11:33:14.491984 Port8, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 413, length 40
11:33:14.491984 ITD_LAG01, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 413, length 40
11:33:14.491984 ITD_LAG01.87, IN: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 413, length 40
11:33:14.492096 Port2, OUT: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 413, length 40
11:33:23.431003 Port8, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 414, length 40
11:33:23.431003 ITD_LAG01, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 414, length 40
11:33:23.431003 ITD_LAG01.87, IN: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 414, length 40
11:33:23.431035 Port2, OUT: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 414, length 40
11:33:27.991979 Port8, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 415, length 40
11:33:27.991979 ITD_LAG01, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 415, length 40
11:33:27.991979 ITD_LAG01.87, IN: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 415, length 40
11:33:27.992031 Port2, OUT: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 415, length 40
11:33:28.672393 Port2, OUT: IP 192.168.1.2 > dns.google: ICMP echo request, id 12, seq 1, length 192
11:33:28.686232 Port2, IN: IP dns.google > 192.168.1.2: ICMP echo reply, id 12, seq 1, length 76
11:33:28.686325 Port2, OUT: IP 192.168.1.2 > dns.google: ICMP echo request, id 12, seq 2, length 192
11:33:28.694989 Port2, IN: IP dns.google > 192.168.1.2: ICMP echo reply, id 12, seq 2, length 76
11:33:32.985746 Port8, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 416, length 40
11:33:32.985746 ITD_LAG01, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 416, length 40
11:33:32.985746 ITD_LAG01.87, IN: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 416, length 40
11:33:32.985776 Port2, OUT: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 416, length 40
11:33:37.975972 Port8, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 417, length 40
11:33:37.975972 ITD_LAG01, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 417, length 40
11:33:37.975972 ITD_LAG01.87, IN: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 417, length 40
11:33:37.976000 Port2, OUT: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 417, length 40



This thread was automatically locked due to age.
  • 0

    Hi Leonardo,

    Thank you for reaching out to Sophos Community.

    Would it be possible to share the FW policy for this one and a packet capture when you do a ping?

    Also, can you create a test policy on the very top, allowing the following VLAN for ICMP.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0

    Those ICMP replies are not your Replies. 

    Actually Google does not reply to your client.

    11:33:28.672393 Port2, OUT: IP 192.168.1.2 > dns.google: ICMP echo request, id 12, seq 1, length 192
    11:33:28.686232 Port2, IN: IP dns.google > 192.168.1.2: ICMP echo reply, id 12, seq 1, length 76
    11:33:28.686325 Port2, OUT: IP 192.168.1.2 > dns.google: ICMP echo request, id 12, seq 2, length 192
    11:33:28.694989 Port2, IN: IP dns.google > 192.168.1.2: ICMP echo reply, id 12, seq 2, length 76

    Those are likely the Interface monitoring ICMP packets. See Seq number

    My guess is: You do not have a MASQ Rule enabled? Because you are sending ICMP Requests with your internal IP, which google does not know. 

    11:33:14.491984 Port8, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 413, length 40
    11:33:14.491984 ITD_LAG01, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 413, length 40
    11:33:14.491984 ITD_LAG01.87, IN: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 413, length 40
    11:33:14.492096 Port2, OUT: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 413, length 40

    This should be 192.168.1.2, as in the working above.

    Check your NAT (SNAT). 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    192.168.1.2 is the IP of the interface that is connected to the router witch has IP 192.168.1.1. I have a NAT that does MASQ any traffic with the outgoing interface WAN (Default SNAT IPv4). Somehow only on the second ping request it resolves the IP of my client to the gateway IP

    11:33:27.991979 Port8, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 415, length 40
    11:33:27.991979 ITD_LAG01, IN: ethertype IPv4, IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 415, length 40
    11:33:27.991979 ITD_LAG01.87, IN: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 415, length 40
    11:33:27.992031 Port2, OUT: IP 172.16.87.99 > dns.google: ICMP echo request, id 1, seq 415, length 40
    11:33:28.672393 Port2, OUT: IP 192.168.1.2 > dns.google: ICMP echo request, id 12, seq 1, length 192
    11:33:28.686232 Port2, IN: IP dns.google > 192.168.1.2: ICMP echo reply, id 12, seq 1, length 76

  • +1 in reply to Leonardo Avesani

    See the connection: It is not the same connection, it is a different (likely the interface itself and the Interface monitoring). 

    You connection is seq415. And it is not translated. 

    So the problem is MASQ / NAT. Somehow your SNAT is not applied.

    Look at packet capture on the Webadmin - Then check the NAT, which is applied, you see it there. 

    __________________________________________________________________________________________________________________

  • +1 in reply to LuCar Toni

    In the packet capture it showed NAT ID 0, what I guess means that no NAT rule was applied. I then moved the Default NAT rule to the Top and now I am able to Ping successfully. I am not sure why the NAT did not get applied before but I guess it works now. Thanks for your help.

Unfiltered HTML