Dropt Packets and only partly DNS resolving on new VLan Structure

Question

Hi Sophos Community,

to get rid of the former structure of "only Hardwareserver, no VLans and only one Network per Location" i've created a new strategy for the Future. Network has Core-Switches and Edge-Switches and are managed, the Core-Switches are Stacked, the Severs are Hyper-V 2019 based.

The plan for the new network is that each location has predefined VLans in unique IP-Ranges. We don't have that much location/VLans therefore i don't do complex subnetting and try to simplify this:

10.<locationNumber>.<VLan>.0/24

Sophos UTM has always 10.x.x.1 in each subnet.

On the Sophos UTM i configured a Link Aggregation Group with one uplink to each Core-Switch (LACP with algorythm "Source/Destination-MAC" on Switch-Site) and setup all VLans in the Interfaces:

On network definitions i setup an Network Group for first tests:

On Firewall i allowed the communication from/to the new networks and from the old one in addition:

For DHCP-Servers in AD i create an Availibility Group to extend later on:

For new Networks who should get an IP from DHCP (not for all VLans) there is no active DHCP-Server on Sophos, therefore i created the DHCP-Relay:

In the global DNS Tab the new networks are in the "allowed" section, but i think it isn't needed if i don't use the Sophos as my DNS-Server for the new Networks.

In the "Request Routing" Tab i added the routes for the DNS/AD (One in Lab and One for Prod). For now only the networks i have servers installed because it's the first test and i'm lazy sometimes. ;)

Last but not least i configured the Masquerading which i forgot that often:

Intrusion Prevention creates some problem with the new PBX, therefore it's deactived since one year. Web Filtering is currently not in use and deactivated as well. Sophos Sandstorn and ATP are deactivated.

Now the Problem on the Windows-Server:

After enabling the DNS-Request logging i see much more request then answers. Sometimes i get answer and my DNS respond, sometime not.

Sometimes i have pingloss while pinging the Sophos UTM. With the Testserver on the same Subnet i don't face any problems. Domainjoin sometimes work in total, sometimes breaks while joining, sometimes it isn't possible.

For the first test and while installing i used the DHCP of the Sophos. But Meanwhile all DHCP servers where first disabled and afterwards deleted.

Hopefully i explained good enough in detail.

thanks and best regards

Florian

This thread was automatically locked due to age.

Florian Ramlow · Answer

This morning was great! Woke up, turn on my Laptop, connect to VM to trace the packages and: It works! :) Yesterday I changed several options out of sheer desperation. 
 
 VM Lan Teaming changed from LACP &bdquo;Hyper-V Port&ldquo; to &bdquo;Dynamic&ldquo;

D-Link Switch-Config for LACP Group changed from &bdquo;Short&ldquo; to &bdquo;Long&ldquo;

Hyper-V extended networkconfig on all VMs -> disabled (VMQ)

Today I tried to find out which option caused the error. 
 
 VM Lan Teaming changed from LACP &bdquo;Dynamic" to &bdquo;Hyper-V Port&ldquo; 
 D-Link Switch-Config for LACP Group changed from &bdquo;Long&ldquo; to &bdquo;Short&ldquo; 
 
 With the VMQ-Feature we faced some error on work with SCOM/SMA so i don't want to enable this feature again. No change, it is still working. 
 I guess the solution wasn't a wrong option, i guess it was an entry in an ARP-Table or somewhere else on some device(s) and the changes i made forced to "refresh" the entries. My first tests was with with Sophos UTM DNS/DHCP services with the same IPs on the same VMs (MACs). 
 If i'll find more informations or i'm able to reproduce this issue, i'll update this topic. Thanks a lot for hints and answers! :) 
 
 thanks and best regards 
 Florian