[BUG] No data through RED tunnel

Hi,

I don't get any data through the RED tunnel. Tested with a single and both WAN links.

The RED live log shows this:

2012:10:15-16:29:10 fw-1 red_server[9942]: A3400703AB17AB8: command 'PING 0'

2012:10:15-16:29:10 fw-1 red_server[9942]: A3400703AB17AB8: PING remote_tx=0 local_rx=0 diff=0

2012:10:15-16:29:10 fw-1 red_server[9942]: A3400703AB17AB8: PONG local_tx=0

Normally the PING counts up.

And a tcpdump on the RED interface didn't show a single packet.
Connection tested with a pc behind the RED. The pc was configured to request a DHCP address, but nothing happens and with a static IP I couldn't ping the interface either. The firewall is ping visible.

The RED50 config:
Didn't used the deployment helper
UTM Hostname: vpn.company.de
Operation mode: Standard / Unified

UTM
Firmware version: 9.003-15
DHCP on UTM for RED interface
RED network in web proxy

Regards
Daniel

Parents

0 hschaa over 12 years ago

Is your ASG behing a NAT?
Helmut
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 quasar3c279 over 12 years ago in reply to hschaa

No, they can directly reach the astaro. The RED is located in the LAN and DMZ.

Regards, Mario
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 hschaa over 12 years ago in reply to quasar3c279
Please run
red2ctl list
on the ASG and append the output here.

Thanks,
Helmut
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 quasar3c279 over 12 years ago in reply to hschaa


fw:/root # red2ctl list

reds1 [1] dstport: 3410 keyid: 0 alg: authenc(hmac(sha1),cbc(aes))

  0 weight: 0 remote: 10.24.5.119 (dev 8) delay: 448601.922 ms

     RX: miss 23/34

     TX: miss 0/56244

  1 weight: 1 remote: 10.24.5.119 (dev 6) delay: 1252.6 ms

     RX: miss 61019/162257

     TX: miss 0/56242

  2 weight: 0 remote: 10.24.5.128 (dev 8) delay: 1252.25 ms

     RX: miss 27/76

     TX: miss 0/56157

  3 weight: 0 remote: 10.24.5.128 (dev 6) delay: 1252.41 ms

     RX: miss 50358/147911

     TX: miss 0/56144

  4 weight: 1 remote: 192.168.250.132 (dev 3) delay: 1252.40 ms

     RX: miss 8997/19667

     TX: miss 0/6771

  5 weight: 0 remote: 10.24.5.119 (dev 3) delay: 1073741.835 ms

     RX: miss 0/2

     TX: miss 0/2012

 Total RX: miss 0/0  bandwidth 0.0  bit/s

       TX: miss 0/0  bandwidth 0.0  bit/s

0 hschaa over 12 years ago in reply to quasar3c279

Which network interfaces are configured as uplinks on the ASG? And how many?

Thanks,
Helmut
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 quasar3c279 over 12 years ago in reply to hschaa

Hi,

dev 4 and 5 (eth6 and eth7) are configured as uplinks.

After changing the UTM hostname to the internal interface instead of the external traffic through the tunnel is working. The RED is connected to LAN and DMZ and initiates the connection from inside the UTM.

Why doesn't the setup work if I choose the external interface as UTM hostname?

In the logs I've seen that the UTM sends it's UPLINK IPs to the RED, does it automatically initiate a connection to all uplinks of the ASG?

Regards, Mario
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 hschaa over 12 years ago in reply to quasar3c279

Why doesn't the setup work if I choose the external interface as UTM hostname?

I'm not 100% sure but the routing tables might be somehow incorrect when a connection comes in to the external interface via an internal interface ...

In the logs I've seen that the UTM sends it's UPLINK IPs to the RED, does it automatically initiate a connection to all uplinks of the ASG?

Correct, that's what the RED currently does. However, this leads to problems when the ASG is behind some kind of NAT. Hence, we might change it to just use the two hostnames from the RED50 configuration as RED peers. See [1].

Helmut

[1] RED 50 Beta Test - Astaro User Bulletin Board
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 hschaa over 12 years ago in reply to quasar3c279

Why doesn't the setup work if I choose the external interface as UTM hostname?

I'm not 100% sure but the routing tables might be somehow incorrect when a connection comes in to the external interface via an internal interface ...

In the logs I've seen that the UTM sends it's UPLINK IPs to the RED, does it automatically initiate a connection to all uplinks of the ASG?

Correct, that's what the RED currently does. However, this leads to problems when the ASG is behind some kind of NAT. Hence, we might change it to just use the two hostnames from the RED50 configuration as RED peers. See [1].

Helmut

[1] RED 50 Beta Test - Astaro User Bulletin Board
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 quasar3c279 over 12 years ago in reply to hschaa

Wouldn't it be better to define which uplinks you wan't to use for the RED tunnel?

The customers have one link for Internettraffic and one or to for company traffic, e.g. VPN and Mail. They don't want to use the Internetlink for RED traffic. Maybe you can add an additional field in the RED configuration for specifiing the UPLINKS you want to use?

This would be more flexible...

Mario
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 maygyver over 12 years ago in reply to quasar3c279

Hi,

I try to replace a RED10 by a red50.
I established the red50 tunnel with one WAN interface and one UTM entry.

I switched the Interface to red50. But now there is no traffic possible.

ASG has no NAT, RED50 is behind NAT.

Sven

Astaro user since 2001 - Astaro/Sophos Partner since 2008
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel