Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 6 subscribers
  • Views 38916 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

static routes not applying

Mast_01

Hello,

i'm having an issue with static routes, and i'm pretty sure this broke somewhere around 9.409/410 as it was working before.

i have two gateways in my network, one is the UTM (10.10.10.15) another a cisco ASA(10.10.10.16).

Some IPs/network can only be accessed through the ASA.

let's say one host/network is 8.8.8.8

IF on a workstation i do an add route 8.8.8.8 10.10.10.16 then traffic goes through the ASA correctly.

ON the UTM i made a gateway route that is "host 8.8.8.8" through gateway ASA "10.10.10.16" with metric 1.

 

i then try to access that ip from a station and it's not working, traceroute shows the route is not operational, it goes through the UTM and straight over internet.

 

i checked the routing table in the UTM and the line is there:

8.8.8.8 via 10.10.10.16 dev eth0 proto static metric 1

to troubleshoot further, i have a routerboard laying around and configured the same route, then added a route on the PC to 8.8.8.8 through mikrotik and it's working perfectly, so the issue is the UTM no doubt.

just in case, i also have all the pertinent firewall rules from LAN to those special hosts allowed




This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    the route is defined on eth0. Is this the correct interface were the clients are connected to?

    What about the configured interface in the host object 8.8.8.8? Is it correct?

    Could you post the whole routing table of the UTM?

    Jas Man

  • 0 in reply to Jas Man

    eth0 is the lan port, yes client are connected in that LAN, same as the cisco ASA.

     

    "What about the configured interface in the host object 8.8.8.8? Is it correct?", ¿what configured interface?, they're internet hosts (or remote private ip hosts through one of the VPNs in the Cisco ASA)

  • 0 in reply to Mast_01

    You've been around for a long time, Mast, and I know you know the UTM well, so it must be something you're not seeing.  Please show pictures of the Edits of the relevant parts of the configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Shot in the dark here just to be sure. Did you try it with another host ip? Because 8.8.8.8 is google's dns server and maybe the UTM is getting mixed up there ie you have 8.8.8.8 entered somewhere else?

  • 0 in reply to BAlfson

    Bob,

    the thing is that this was working as-is and one of the previous patches broke it.

    it's also quite simple really:

    in the LAN i have the UTM and an ASA on the same subnet.

    there is a list of networks and hosts that have to be routed through the ASA, all of which defined in a group in the UTM

    then i made the static gateway route rule that for those hosts the gateway is the ASA.

    then i created a FW rule from LAN to hosts allowing the services i need.

    i check the route list and the entry is there

    and it's not working, it's ignoring the route and going through internet.

     

    yet if i do the same on a mikrotik, works perfectly, same as adding a route by hand on windows.

     

    I already have a case open but communicating has been... very difficult at best, they suggested something about the web proxy interfering if i understood them... i'll have to check that.

     

    edit: just checked, i alreayd have a transparent skiplist destinarion set...

  • 0 in reply to Mast_01

    Mast_01 said:

    ...

    "What about the configured interface in the host object 8.8.8.8? Is it correct?", ¿what configured interface?, they're internet hosts (or remote private ip hosts through one of the VPNs in the Cisco ASA)

    Your wrote, that you've configured a static route for the target "8.8.8.8" that points to the ASA. This static route has an host or network object in the field "Network". And this object has an field, where you can define the interface where the host or network is homed (Any, LAN, WAN,...).

    Please also post or check the routing table. There must be a reason why the UTM preferred the Any-route to the Internet. 

    BTW: Have you checked that the routing rule is activated? Maybe it's such a simple thing...

    EDIT: Gateway Routing works fine for me in 9.411-3. Entry in routing table:

    8.8.8.8 via 192.168.10.3 dev eth1.10  proto static  metric 1 onlink

     

    Jas Man

  • 0 in reply to Jas Man

    JAS,

    i have a group that contains both hosts AND networks(i hope the uploadrs are visible)

    yes the rule is active :D

     

    the route table is huge and full of ips, but i checked and they're there(it's a portion of the table), both public and private tunnels:

    default via 10.10.10.200 dev eth0  table 1  proto policy 
    200.x.x.x. via 10.10.10.200 dev eth0  proto static  metric 1 
200.x.x.x via 10.10.10.200 dev eth0  proto static  metric 1 
200.x.x.x via 10.10.10.200 dev eth0  proto static  metric 1
    172.16.6.170 via 10.10.10.200 dev eth0  proto static  metric 1 
    172.16.6.171 via 10.10.10.200 dev eth0  proto static  metric 1 
    192.168.2.5 via 10.10.10.200 dev eth0  proto static  metric 1 
    192.168.2.13 via 10.10.10.200 dev eth0  proto static  metric 1
Reply
  • 0 in reply to Jas Man

    JAS,

    i have a group that contains both hosts AND networks(i hope the uploadrs are visible)

    yes the rule is active :D

     

    the route table is huge and full of ips, but i checked and they're there(it's a portion of the table), both public and private tunnels:

    default via 10.10.10.200 dev eth0  table 1  proto policy 
    200.x.x.x. via 10.10.10.200 dev eth0  proto static  metric 1 
200.x.x.x via 10.10.10.200 dev eth0  proto static  metric 1 
200.x.x.x via 10.10.10.200 dev eth0  proto static  metric 1
    172.16.6.170 via 10.10.10.200 dev eth0  proto static  metric 1 
    172.16.6.171 via 10.10.10.200 dev eth0  proto static  metric 1 
    192.168.2.5 via 10.10.10.200 dev eth0  proto static  metric 1 
    192.168.2.13 via 10.10.10.200 dev eth0  proto static  metric 1
Children
  • 0 in reply to Mast_01

    Looks good.

    So default and static route pointing to the ASA?

    And which address is routet by the UTM directly trought the Internet, WAN or what else is behind the UTM?

     

    Have you tried to re-create the rule, or to choose only a single host, not the complete group?

     

  • 0 in reply to Jas Man

    JAs,

    no sorry, i didn't paste the header of the route table, the default for the system points directly to internet through ISPS directly attached to UTM

    default via 10.10.10.200 dev eth0  table 1  proto policy
    default via 200.x.x.x dev eth1  table 220  proto kernel onlink
    default via 181.x.x.x dev eth2  table 221  proto kernel onlink
    default via 190.x.x.x dev ppp0  table 222  proto kernel onlink
    local default dev lo  table 252  scope host
    default  table default  proto kernel  metric 20
        nexthop via 200.x.x.x  dev eth1 weight 1 onlink
        nexthop via 181.x.x.x  dev eth2 weight 1 onlink
        nexthop via 190.x.x.x  dev ppp0 weight 1 onlink
    10.0.0.0/24 via 10.10.10.200 dev eth0  proto static  metric 1

    behind/ahead of UTM is nothing, straight to LAN/modems

     

    ok... this is miighty odd... i just did one specific host as you mentioned, put it into metric 1(it was 5 by default), didn't activated it and proceeded to first test "as is" and.. it started working... i'll be damned. Tested several of the hosts/networks and they indeed work.

    Deleted the test rule and they kept working.

     

    i'll be able to do more extensive tests on friday

  • 0 in reply to Mast_01

    Sounds like a metric problem, and with creating a new rule the rules with same metric were re-ordered. But according to the routing table above everything is fine.....

  • 0 in reply to Mast_01

    Kudos to you Mast!

    I've not tried a Network Group in Static Routing.  I bet you've uncovered a bug in the last Up2Date you applied.  Support will be glad to learn about that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Just for information: I had tried it with a network group. Works fine. But I had only one object in the group.

  • +1 in reply to Jas Man

    well.... it stopped working, still working with support on this as i'm not sure which u2d broke it and i can't find anything on the KIL.

     edit: after a couple hours online with sophos support turns out the issue is asymmetric routing of the traffic :/ it's nearly impossible to solve centrally so i'll have to distribute a huge routing table via dhcp to all the computers

  • 0 in reply to Mast_01

    Ahhhhh, yes, of course.....

    The client sends his packet to the UTM. The UTM routes the packet to the ASA, and the ASA sends the response back to the client directly, because they are in the same network, or the ASA knows the route to the host by itself. And, of course, the client droppes the response because it didn't know about a communication with the ASA.

     

    After problems are solved, everything seems so logical :)

  • 0 in reply to Jas Man

    In a similar environment I did a SNAT in the UTM as a workaround

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML