Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 17784 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

problem with multiple alias on WAN

StefanoColombo

We have the following issue.

We're migrating from cisco asa to XG. The two firewall are installed side-by-side and we're moving published services on at time by removing the public ip address from the Cisco ASA and adding them as Alias on the WAN interface of the XG .

We ran into the following issue .

We started adding one alias to XG and all worked fine, after we created the rules on XG for publishing the server behind the ALIAS .

Then we added a new ALIAS to WAN interface but found that id didn't work.

After some research we found the on the cisco asa there was an ARP entry ( dynamic ) only for the primary WAN interface IP and the first Alias we created .

It looks like additional aliases didn't set the ARP .

Adding a static ARP on the CIsco asa for the additional ALIASES solved the issue , but it looks to me it should not be needed

thanks



This thread was automatically locked due to age.
Parents
  • 0

    The Sophos should reply to ARP responses on every alias IP address it has.   On the 1st alias it worked.
    The ASA also had that alias previously, double-check if you removed alias on Cisco entirely.

    btw, best way to troubleshoot is hooking up extra host an segment, clear its arp table, and ping the alias when running sniffer.  (but it requires free IP address)

Reply
  • 0

    The Sophos should reply to ARP responses on every alias IP address it has.   On the 1st alias it worked.
    The ASA also had that alias previously, double-check if you removed alias on Cisco entirely.

    btw, best way to troubleshoot is hooking up extra host an segment, clear its arp table, and ping the alias when running sniffer.  (but it requires free IP address)

Children
  • 0 in reply to sixteen again

    In was indeed a problem of arp caching , still to find if it's the ISP's Router or the switch connecting them

    Thanks

  • +1 in reply to sixteen again

    HI Sixteen

    As per your issue you loose internet connection after 2-3 days , seems consistent unless you reboot the appliance would need to conduct simple test 

    Test 1.

    First, check the arp table for WAN interface if the Gateway address is associated with a Mac Address . If it is complete then it is possible the ARP entry on the Router is deleted. If it shows "In-complete"  you may add a Static Arp Entry for the same and the MAC address would be your WAN gateway's MAC address.

    To diagnose this issue could you run a command in console/SSH 

    console >system diagnostics utilities arp ping interface PortB (Gateway address) 

    If you got the reply , you may check again if the internet connection is restored or not . 

    If the connection is restored then it is possible that the ISP gateway may have rebooted automatically and the ARP table on the router is wiped clean. Now at this stage the XG appliance already have an ARP entry and would not send again .

    You would need to follow two steps if necessary to maintain the ARP on the ISP gateway . 

    Connect a Common Layer 2 switch in between the WAN interface and ISP connection . If that does not work , Arp bind the MAC address with XG WAN address on the Gateway Router. 

    Hope this would resolve your issue. 

  • 0 in reply to StefanoColombo

    The WAN switch is a layer 2 device, and has no ARP entries. 
    So problem is the ISP router, having a long ARP time-out and maybe not honoring gratuitous arp

  • 0 in reply to sixteen again

    I mean the  customer's switch where the sophos and cisco external ports are connected and it does have the ARP table .

    In any case it might well be the ISP router which is not considering gratuitous arp

    Thanks

    Stefano