Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 3568 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Additional Address stops responding

AdamTyler
Hello Sophos forum..  I have a strange problem with an additional address on my Sophos VM here in my home lab.  Hoping someone can provide some insight.  First some details on my environment.

VMware vSphere 5.5 U3
Procurve 2810-24G switch
Each ESXi host is connected to the network with 3 Network cards, Intel based server grade hardware.


What Changed:
Issue began after moving from vSwitch to Distributed Virtual Switch.  Moved from LACP/IP-Hash load balancing to LBT with no LACP.. (Load based on physical NIC)


Problem description:
I have one WAN interface connected to an ISP that provides two static IP addresses in the same subnet.  The primary IP is assigned to the WAN interface in the traditional manner and there are a handful of NAT policies for services forward to internal hosts.  This primary address seems to function reliably.  Only one masquerading NAT policy exists and all internal hosts access the internet out this IP.

The second address is configured on the same interface as an "additional address".  One or two services are forwarded to an internal host, otherwise the IP isn't used for anything else.

The issue is that after about 24 hours of runtime the second address appears to stop functioning..  The only way I have found to work around the problem is to restart the firewall.  After a restart the second address inbound services function as expected.


Attempted to troubleshoot issue:
1. Re-create VM and import settings, same problem.
2. Attempt VMware hardware version 8 and 10, same problem.
3. Clear arp cache from switch while the issue is occurring, same problem.
4. Change mask of "additional address" from ISP recommendation to /32, same problem.
5. Disable spanning-tree and loop protect on swtich. same problem.

I thought maybe creating a policy based route so that the internal hosts using 2nd address NAT'd services would be forced to respond using the 2nd WAN IP, but I am grabbing at straws here.  And why would it work at all if this needed to be done.....  Hmm..  Scratching head....


This thread was automatically locked due to age.
Parents
  • 0

    Just looking through my old posts and realized I never posted my solution here.  After a lot of internet searching I came up with the following and this problem was solved.  It's been so long, I realize these notes are cryptic, but hopefully it pushes you in the right direction.  Pretty sure the key was the step 3 below.

     

    www.astaro.org/.../44614-utm9-active-passive-ha-vmware-3.html
    www.astaro.org/.../57207-ha-switch-config.html

    Thanks for the help. I solved the problem using mulitiple sources. I added them to one, which worked for me:

    In the CLI of the UTM (on the console) you have the do the following [1][2]

    1. Set MTU on HA interface to 1500 with the command "cc set ha advanced mtu 1500" in UTM CLI, to prevent use of jumbo frames. (Will not work)
    2. Use a dedicated VLAN in ESXi for the two UTM HA interfaces.
    3. Disable virtual HA MACs with the command: "cc set ha advanced virtual_mac 0" in UTM CLI to ensure that VMs residing on same vSwitch as the passive ASG can communicate with the active UTM on other vSwitch.


    ethernet0.ignoreMACAddressConflict = "TRUE"
    ethernet1.ignoreMACAddressConflict = "TRUE"
    ethernet2.ignoreMACAddressConflict = "TRUE"

Reply
  • 0

    Just looking through my old posts and realized I never posted my solution here.  After a lot of internet searching I came up with the following and this problem was solved.  It's been so long, I realize these notes are cryptic, but hopefully it pushes you in the right direction.  Pretty sure the key was the step 3 below.

     

    www.astaro.org/.../44614-utm9-active-passive-ha-vmware-3.html
    www.astaro.org/.../57207-ha-switch-config.html

    Thanks for the help. I solved the problem using mulitiple sources. I added them to one, which worked for me:

    In the CLI of the UTM (on the console) you have the do the following [1][2]

    1. Set MTU on HA interface to 1500 with the command "cc set ha advanced mtu 1500" in UTM CLI, to prevent use of jumbo frames. (Will not work)
    2. Use a dedicated VLAN in ESXi for the two UTM HA interfaces.
    3. Disable virtual HA MACs with the command: "cc set ha advanced virtual_mac 0" in UTM CLI to ensure that VMs residing on same vSwitch as the passive ASG can communicate with the active UTM on other vSwitch.


    ethernet0.ignoreMACAddressConflict = "TRUE"
    ethernet1.ignoreMACAddressConflict = "TRUE"
    ethernet2.ignoreMACAddressConflict = "TRUE"

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML