Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 27 subscribers
  • Views 5611 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG ExpressRoute to Azure

Gary Mentink

Hello,

I lodged a case with Sophos over the phone [7462215] a few days and called through each day with the response of "the engineer assigned to the case is unavailable, and there is no one else who can take the job, we will call you back" followed by "the engineer / team is unavailable and the shift is switching over, we will escalate this to the escalation team, there is no ETA of when you will get a call back" - this was lodged as a urgent issue for immediately response, bit disappointed that there has been no contact at all from Sohpos end - not sure if there is an SLA or OLA... 

Rant over - problem time:

Currently running an Sophos XG virtual appliance hosted on ESXi 6.5 infrastructure with an virtual interface passed through to the Sophos as a trunk port to facilitate the ExpressRoute (facilitated by Megaport). When we communicate directly from our datacentre infrastructure we can reach the Azure infrastructure with no problem so the ExpressRoute is provisioned on Azure/Megaport/DC correctly.

I cannot find any guides or guidances on the Sophos KB's about how to configure an ExpressRoute on the XG, specifically in relation to Dot1Q interfaces and QinQ interface requirements to terminate the eBGP connection.

The first problem found was that we cannot add an interface with a vlan, in a vlan, so I had to do this through CLI (as below):

  • ip link add link PortC PortC.3087 type vlan proto 802.1ad id 3087
  • ifconfig PortC.3087 up
  • ip link add link PortC.3087 PortC.3087.10 type vlan proto 802.1Q id 10
  • ifconfig PortC.3087.10 up
  • ifconfig PortC.3087.10 10.50.50.1 netmask 255.255.255.252 up

I was able to add these interfaces correctly, however the configuration is wiped upon reboot (I expected this as I cannot find the CLI to write the changes). 

The next point is that when the interfaces are added the zonetype is set to UNBOUND so the XG is dropping all packets from these interfaces so we cannot communicate through to Azure either. I'm unable to find the appropriate variables to change the zonetype to anything else (LAN/WAN w/e) and the vlan interfaces are now showing in the GUI so we cannot change the zones manually. (doing the network configuration cli wizard through ssh doesnt' allow you to change the zones for the vlan interfaces :( :( ).

As you can imagine we are paying for the Megaport expressroute currently and we cannot deliver it to our client because of these issues so any assistance would be great.

 

 

 

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-config-samples-routing



This thread was automatically locked due to age.