Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 3567 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Additional Address stops responding

AdamTyler
Hello Sophos forum..  I have a strange problem with an additional address on my Sophos VM here in my home lab.  Hoping someone can provide some insight.  First some details on my environment.

VMware vSphere 5.5 U3
Procurve 2810-24G switch
Each ESXi host is connected to the network with 3 Network cards, Intel based server grade hardware.


What Changed:
Issue began after moving from vSwitch to Distributed Virtual Switch.  Moved from LACP/IP-Hash load balancing to LBT with no LACP.. (Load based on physical NIC)


Problem description:
I have one WAN interface connected to an ISP that provides two static IP addresses in the same subnet.  The primary IP is assigned to the WAN interface in the traditional manner and there are a handful of NAT policies for services forward to internal hosts.  This primary address seems to function reliably.  Only one masquerading NAT policy exists and all internal hosts access the internet out this IP.

The second address is configured on the same interface as an "additional address".  One or two services are forwarded to an internal host, otherwise the IP isn't used for anything else.

The issue is that after about 24 hours of runtime the second address appears to stop functioning..  The only way I have found to work around the problem is to restart the firewall.  After a restart the second address inbound services function as expected.


Attempted to troubleshoot issue:
1. Re-create VM and import settings, same problem.
2. Attempt VMware hardware version 8 and 10, same problem.
3. Clear arp cache from switch while the issue is occurring, same problem.
4. Change mask of "additional address" from ISP recommendation to /32, same problem.
5. Disable spanning-tree and loop protect on swtich. same problem.

I thought maybe creating a policy based route so that the internal hosts using 2nd address NAT'd services would be forced to respond using the 2nd WAN IP, but I am grabbing at straws here.  And why would it work at all if this needed to be done.....  Hmm..  Scratching head....


This thread was automatically locked due to age.
  • 0
    AC, there are a couple things I would try.  First set the NIC in the UTM to "100BaseT/full" and do the same with the ISP's device.  If it happens again after that, try a Disable/Enable of the Additional Address.  Please let us know your results.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Bob, thanks for your post.  I have flipped the disable/enable button a couple of times on the additional address.  I should have included that in the attempted troubleshooting.

    As far as changing the duplex/speed, I'll give it a shot.  The internet circuit is 1Gbps synchronous, so hopefully I won't have to leave it there.....  [:(] 

    I should also mention that the ISP device is a fiber circuit fed directly to my Procurve switch.  I don't have any admin access to the fiber node before their ethernet handoff.
  • 0
    If you can set the ISP's device to 1Gbps, then use that.  All of the Ciscos I've run into this year only had the 100Mbps option for fixed.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Just looking through my old posts and realized I never posted my solution here.  After a lot of internet searching I came up with the following and this problem was solved.  It's been so long, I realize these notes are cryptic, but hopefully it pushes you in the right direction.  Pretty sure the key was the step 3 below.

     

    www.astaro.org/.../44614-utm9-active-passive-ha-vmware-3.html
    www.astaro.org/.../57207-ha-switch-config.html

    Thanks for the help. I solved the problem using mulitiple sources. I added them to one, which worked for me:

    In the CLI of the UTM (on the console) you have the do the following [1][2]

    1. Set MTU on HA interface to 1500 with the command "cc set ha advanced mtu 1500" in UTM CLI, to prevent use of jumbo frames. (Will not work)
    2. Use a dedicated VLAN in ESXi for the two UTM HA interfaces.
    3. Disable virtual HA MACs with the command: "cc set ha advanced virtual_mac 0" in UTM CLI to ensure that VMs residing on same vSwitch as the passive ASG can communicate with the active UTM on other vSwitch.


    ethernet0.ignoreMACAddressConflict = "TRUE"
    ethernet1.ignoreMACAddressConflict = "TRUE"
    ethernet2.ignoreMACAddressConflict = "TRUE"

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML