Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 12207 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Internet for only a few minutes

Ryan Roger Taer

I configured a new XG 135 to be the main router of our network.  On boot up, it works very well but a few minutes later, all clients suddenly can no longer access to the Internet.  The box itself continues to be connected to the internet and able to ping/traceroute/resolve on the Internet.  It seems it's just not forwarding traffic to outside.

Here's a rough network diagram.

Summary of configuration:

Firewall:

LAN to WAN, from MENA Network to Any, Allow, Apply MASQ and Traffic Shaping

LAN to WAN, from MMC Network to Any, Allow, Apply MASQ and Traffic Shaping

LAN to WAN, from MEU Network to Any, Allow, Apply MASQ and Traffic Shaping

LAN to LAN, from Any to Any, Allow

 

Static Routes:

0.0.0.0/0.0.0.0 213.175.179.201 WAN 0

192.168.11.0/255.255.255.0 192.168.44.2 LAN 0

192.168.22.0/255.255.255.0 192.168.44.2 LAN 0

192.168.33.0/255.255.255.0 192.168.44.2 LAN 0

 

As I said, it would work for a few minutes but will suddenly stop without any changes in configuration.  What am I missing?



This thread was automatically locked due to age.
Parents
  • 0

    Ryan,

    Did you check the firewall logs? What they are saying?

    Ping and tcpdump from affected machine to Internet?

    Thanks

  • 0 in reply to lferrara

    Did some more testing today.  Here's what I know so far:

     

    1. It is not a firewall problem
      • I created an Allow All rule right at the top (from “Any” to “Any” Allow).
      • Log confirms the traffic is allowed through.
    2. It is not a problem with the HP core switch
      • I connected my laptop straight to the Sophos and pretended to be a LAN computer.  Still traffic isn’t going through.
      • Traceroute to any external IP stops at Sophos.  This means the Procurve was able to route the traffic to Sophos.  It just can’t get out of there.
    3. It is not an authentication or quota problem
      • I created a user with unlimited quota or any limitations whatsoever and authenticated my laptop with that user.
      • Sophos detects correctly that my laptop is authenticated.  Still no traffic going through.
    4. It’s not a firmware problem.
      • Both SFOS v15 and SFOS v16 had the same problem.
    5. During all this, Sophos is able to ping any address on the LAN or on the Internet.

    Any other ideas?

  • +1 in reply to Ryan Roger Taer

    What are your masquerade settings?

  • 0 in reply to Billybob

    What's up with the "transparent dmz gateway" function?  Can XG combine routing and transparent mode?
    Seems to me like you just end up with 2 interfaces in the same public subnet.   Try with dmz interface disconnected

  • 0 in reply to Billybob

    Each internal network is using a masq that is different than the WAN interface IP but on the same subnet. I have checked with and they are indeed going out through the correct IP as specified.

    But one thing I just realized now is that these masq IPs are not set up as Alias IPs on the WAN interface. I'm coming from a Sonicwall where this is not required. Is this required for XG?

  • 0 in reply to sixteen again
    I followed the KB on community.sophos.com/.../123524 because we do need to set up a server completely exposed to the internet. Anyways, I did try to remove the DMZ and set it up normally but it did not make a difference.
  • +1 in reply to Ryan Roger Taer

    I think I just answered my own question.  After assigning all IPs to the WAN interface as an Alias, Internet connectivity has been stable for about 2 hours now.  It looks like the problem is now solved.  Thanks to Billybob for giving me a hint.

Reply Children
No Data