Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 1415 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dropt Packets and only partly DNS resolving on new VLan Structure

Florian Ramlow

Hi Sophos Community,

to get rid of the former structure of "only Hardwareserver, no VLans and only one Network per Location" i've created a new strategy for the Future. Network has Core-Switches and Edge-Switches and are managed, the Core-Switches are Stacked, the Severs are Hyper-V 2019 based.

The plan for the new network is that each location has predefined VLans in unique IP-Ranges. We don't have that much location/VLans therefore i don't do complex subnetting and try to simplify this:

10.<locationNumber>.<VLan>.0/24

Sophos UTM has always 10.x.x.1 in each subnet.

On the Sophos UTM i configured a Link Aggregation Group with one uplink to each Core-Switch (LACP with algorythm "Source/Destination-MAC" on Switch-Site) and setup all VLans in the Interfaces:

On network definitions i setup an Network Group for first tests:

On Firewall i allowed the communication from/to the new networks and from the old one in addition:

For DHCP-Servers in AD i create an Availibility Group to extend later on:

For new Networks who should get an IP from DHCP (not for all VLans) there is no active DHCP-Server on Sophos, therefore i created the DHCP-Relay:

In the global DNS Tab the new networks are in the "allowed" section, but i think  it isn't needed if i don't use the Sophos as my DNS-Server for the new Networks.

In the "Request Routing" Tab i added the routes for the DNS/AD (One in Lab and One for Prod). For now only the networks i have servers installed because it's the first test and i'm lazy sometimes. ;)

Last but not least i configured the Masquerading which i forgot that often:

Intrusion Prevention creates some problem with the new PBX, therefore it's deactived since one year. Web Filtering is currently not in use and deactivated as well. Sophos Sandstorn and ATP are deactivated.

Now the Problem on the Windows-Server:

After enabling the DNS-Request logging i see much more request then answers. Sometimes i get answer and my DNS respond, sometime not.

Sometimes i have pingloss while pinging the Sophos UTM. With the Testserver on the same Subnet i don't face any problems. Domainjoin sometimes work in total, sometimes breaks while joining, sometimes it isn't possible.

For the first test and while installing i used the DHCP of the Sophos. But Meanwhile all DHCP servers where first disabled and afterwards deleted.

 

Hopefully i explained good enough in detail.

 

thanks and best regards

Florian

 

 



This thread was automatically locked due to age.
  • 0

    looks like sophos catch the 10.10.70.5 DNS request.
    Check you don't configure an additional 10.10.70.5 address at some interface.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk,

    thanks for your fast answer. I've double check all interfaces on Sophos UTM.

    I forgot the attach the screenshot of the ping to the Gateway (Sophos UTM):

     

     

    I don't think this is the problem but to be sure i shutdown all hypervisor and testing-machines in Lab as well. 

    Well, i don't see any blocked packages in the Sophos and hopefully the new ATP for Windows Server 2019 don't block something. I try to deactivate this feature but it's hard. The Windows-Firewalls are disabled to prevent those issues. The next possibility is the VMQ on the Hyper-V and the network cards. Hopefully this isn't a problem as well...

     

    thanks and best regards

    Florian

     

  • 0 in reply to Florian Ramlow

    Maybe one can get a little closer to the reason if you do a packet trace while pinging on the UTM and on the Windows Server (or Hypervisor)?

    Best regards 

    Alex 

    -

  • 0 
    This morning was great! Woke up, turn on my Laptop, connect to VM to trace the packages and: It works! :)

    Yesterday I changed several options out of sheer desperation.
    1. VM Lan Teaming changed from LACP „Hyper-V Port“ to „Dynamic“
    2. D-Link Switch-Config for LACP Group changed from „Short“ to „Long“
    3. Hyper-V extended networkconfig on all VMs -> disabled (VMQ)

    Today I tried to find out which option caused the error.

    1. VM Lan Teaming changed from LACP „Dynamic" to „Hyper-V Port“
    2. D-Link Switch-Config for LACP Group changed from „Long“ to „Short“

    With the VMQ-Feature we faced some error on work with SCOM/SMA so i don't want to enable this feature again. No change, it is still working.

    I guess the solution wasn't a wrong option, i guess it was an entry in an ARP-Table or somewhere else on some device(s) and the changes i made forced to "refresh" the entries. My first tests was with with Sophos UTM DNS/DHCP services with the same IPs on the same VMs (MACs).

    If i'll find more informations or i'm able to reproduce this issue, i'll update this topic. Thanks a lot for hints and answers! :)

     

    thanks and best regards

    Florian

  • 0 in reply to Florian Ramlow

    Try to disconnect one of the two LACP links.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Unfiltered HTML