Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 6 subscribers
  • Views 38907 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

static routes not applying

Mast_01

Hello,

i'm having an issue with static routes, and i'm pretty sure this broke somewhere around 9.409/410 as it was working before.

i have two gateways in my network, one is the UTM (10.10.10.15) another a cisco ASA(10.10.10.16).

Some IPs/network can only be accessed through the ASA.

let's say one host/network is 8.8.8.8

IF on a workstation i do an add route 8.8.8.8 10.10.10.16 then traffic goes through the ASA correctly.

ON the UTM i made a gateway route that is "host 8.8.8.8" through gateway ASA "10.10.10.16" with metric 1.

 

i then try to access that ip from a station and it's not working, traceroute shows the route is not operational, it goes through the UTM and straight over internet.

 

i checked the routing table in the UTM and the line is there:

8.8.8.8 via 10.10.10.16 dev eth0 proto static metric 1

to troubleshoot further, i have a routerboard laying around and configured the same route, then added a route on the PC to 8.8.8.8 through mikrotik and it's working perfectly, so the issue is the UTM no doubt.

just in case, i also have all the pertinent firewall rules from LAN to those special hosts allowed




This thread was automatically locked due to age.
  • 0 in reply to Jas Man

    JAs,

    no sorry, i didn't paste the header of the route table, the default for the system points directly to internet through ISPS directly attached to UTM

    default via 10.10.10.200 dev eth0  table 1  proto policy
    default via 200.x.x.x dev eth1  table 220  proto kernel onlink
    default via 181.x.x.x dev eth2  table 221  proto kernel onlink
    default via 190.x.x.x dev ppp0  table 222  proto kernel onlink
    local default dev lo  table 252  scope host
    default  table default  proto kernel  metric 20
        nexthop via 200.x.x.x  dev eth1 weight 1 onlink
        nexthop via 181.x.x.x  dev eth2 weight 1 onlink
        nexthop via 190.x.x.x  dev ppp0 weight 1 onlink
    10.0.0.0/24 via 10.10.10.200 dev eth0  proto static  metric 1

    behind/ahead of UTM is nothing, straight to LAN/modems

     

    ok... this is miighty odd... i just did one specific host as you mentioned, put it into metric 1(it was 5 by default), didn't activated it and proceeded to first test "as is" and.. it started working... i'll be damned. Tested several of the hosts/networks and they indeed work.

    Deleted the test rule and they kept working.

     

    i'll be able to do more extensive tests on friday

  • 0 in reply to Mast_01

    Sounds like a metric problem, and with creating a new rule the rules with same metric were re-ordered. But according to the routing table above everything is fine.....

  • 0 in reply to Mast_01

    Kudos to you Mast!

    I've not tried a Network Group in Static Routing.  I bet you've uncovered a bug in the last Up2Date you applied.  Support will be glad to learn about that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Just for information: I had tried it with a network group. Works fine. But I had only one object in the group.

  • +1 in reply to Jas Man

    well.... it stopped working, still working with support on this as i'm not sure which u2d broke it and i can't find anything on the KIL.

     edit: after a couple hours online with sophos support turns out the issue is asymmetric routing of the traffic :/ it's nearly impossible to solve centrally so i'll have to distribute a huge routing table via dhcp to all the computers

  • 0 in reply to Mast_01

    Ahhhhh, yes, of course.....

    The client sends his packet to the UTM. The UTM routes the packet to the ASA, and the ASA sends the response back to the client directly, because they are in the same network, or the ASA knows the route to the host by itself. And, of course, the client droppes the response because it didn't know about a communication with the ASA.

     

    After problems are solved, everything seems so logical :)

  • 0 in reply to Jas Man

    In a similar environment I did a SNAT in the UTM as a workaround

  • 0

    I've used papa_'s trick also.  The ideal solution is to fix the routing in the ASA, but the SNAT is a very effective Band-Aid.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML