9 Replies Latest reply on May 3, 2010 6:08 PM by rcamm

    SG310 route drops and does not re-establish

      Hi,

       

      My client has two geographically distant sites (Office and Warehouse). Both are connected to the internet. There is an SG310 at each site providing firewall and DHCP (the office IP's are 192.168.1/24 - warehouse is 192.168.2/24).

       

      The SG310 at the office is configured as a PPTP VPN server. The SG310 at the warehouse has been configured as a VPN client to the office SG310 primarily to allow connections from warehouse clients to office servers. To allow the servers at the office to spool to printers at the warehouse a route has been configured from the 192.168.1 network to the 192.168.2 network using the warehouses VPN client IP address as a gateway. This all works fine most of the time.... HOWEVER...

       

      In the event of a power outage or even a restart of the SG310 at the Warehouse the route from the office to the warehouse ceases to function. The Warehouse SG310 VPN client reconnects fine but traffic from the office to the warehouse cannot find it's way back. Network Setup -> Routes shows the route as installed with a green tick but attempts to ping from the office to clients at the warehouse get No Route to Destination. The only way to get the thing working again is to untick the route and then tick it again.

       

      Any suggestions on whether this is a bug or a misconfiguration?

       

      Office SG310 (external 58.xxx.xxx.xx/internal 192.168.1.2) - configured as VPN server PPTP.

       

      Warehouse SG310 (internal 192.168.2.2)

      Warehouse SG310 is a VPN client to Office SG310 (warehouse SG310 VPN client IP 192.168.1.10)

       

      Office SG310 route configured as...

       

      Address 192.168.2.0

      Mask 24

      Interface None

      Gateway 192,168.1.10

       

       

      Best Regards,

       

      Dave.

        • 1. Re: SG310 route drops and does not re-establish

          what is occurring is that the static route is being activated while the pptp link is down, and the SG unit believes the route is available via the LAN as this is what subnet the gateway is on. This breaks comms as you have seen.

           

          the solution is to use a pool of IP addresses that are on a unique subnet for the PPTP users.

           

          Then the static route will point to a gateway that is not on the local subnet, and all will be good thereafter.

           

          ie, do not use 192.168.1.x/24 in the PPTP pool.

           

          use 10.2.3.4-14 for example instead ( any unique range )

           

          And reconfigure the static route to use the relevant 10.2.3.x address which will need to be assigned statically to the pptp user ( which I presume you have don already for your current setup )

          • 2. Re: SG310 route drops and does not re-establish

            Hi,

             

            Thanks for the prompt response. Bad news though. I reconfigured VPN clients to use 10.2.3.4-14 and modified the 192.168.2.0 route to go through 10.2.3.4 (the new PPTP IP for the SG310Warehouse) as suggested. Unfortunately the behaviour described below is still occuring. On restart of the warehouse snapgear there was no way to get to the warehouse from the office until the route had been dropped and re-enabled.

             

            Details now are...

             

            SG310Warehouse (local IP 192.168.2.2/PPTP IP 10.2.3.4)

             

            Route 192.168.2.0

            Mask 24

            Gateway 10.2.3.4

             

            I've attached the logs from both the office and the warehouse - unfortunately 'someone' hasn't set the clocks so the timestamps are out of whack. Apologies.

             

            Any help you can provide is greatly appreciated.

             

            Best Regards,

             

            Dave.

            • 3. Re: SG310 route drops and does not re-establish

              can you post a copy of the routing table from the diagnostics tab after a reboot has occurred and before you have manually reset the static route ?

              • 4. Re: SG310 route drops and does not re-establish

                Here is the routing table at various stages of the process... looks like it jumps on ppp0 after the reboot.

                 

                Functioning
                10.2.3.5 dev ppp2  scope link
                10.2.3.4 dev ppp1  scope link
                198.142.128.58 dev ppp0  scope link
                192.168.2.0/24 via 10.2.3.4 dev ppp1
                192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2
                default dev ppp0  scope link  metric 3
                default dev ppp0  scope link  metric 4


                During Reboot
                10.2.3.5 dev ppp2  scope link
                10.2.3.4 dev ppp1  scope link
                198.142.128.58 dev ppp0  scope link
                192.168.2.0/24 via 10.2.3.4 dev ppp1
                192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2
                default dev ppp0  scope link  metric 3
                default dev ppp0  scope link  metric 4

                 

                Post Reboot
                10.2.3.5 dev ppp2  scope link
                10.2.3.4 dev ppp1  scope link
                198.142.128.58 dev ppp0  scope link
                192.168.2.0/24 via 10.2.3.4 dev ppp0
                192.168.2.0/24 via 10.2.3.4 dev ppp1
                192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2
                default dev ppp0  scope link  metric 3
                default dev ppp0  scope link  metric 4

                 

                See attached screenshot at this point.

                 

                Untick Route
                10.2.3.5 dev ppp2  scope link
                10.2.3.4 dev ppp1  scope link
                198.142.128.58 dev ppp0  scope link
                192.168.2.0/24 via 10.2.3.4 dev ppp1
                192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2
                default dev ppp0  scope link  metric 3
                default dev ppp0  scope link  metric 4

                 

                Tick Route
                10.2.3.5 dev ppp2  scope link
                10.2.3.4 dev ppp1  scope link
                198.142.128.58 dev ppp0  scope link
                192.168.2.0/24 via 10.2.3.4 dev ppp1
                192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2
                default dev ppp0  scope link  metric 3
                default dev ppp0  scope link  metric 4

                • 5. Re: SG310 route drops and does not re-establish

                  I don't trust the screen shot...when you configure the static route, make sure you leave the 'interface' field blank...is this how it is configured ?

                  • 6. Re: SG310 route drops and does not re-establish

                    Yes, the route is configured with interface set to NONE. See attached screenshot.

                    • 7. Re: SG310 route drops and does not re-establish

                      and as a final check before we need to get support involved to grab extra diagnostics, is the office unit on at least 4.0.5 firmware, preferably 4.0.6 to ensure all bases are covered ?

                      • 8. Re: SG310 route drops and does not re-establish

                        Hi,

                         

                        The unit was on 4.0.5. I upgraded to 4.0.6 for both routers but the problem persists. What is the process to kick this up to support?

                         

                        Many thanks for you help this far.

                         

                        Best Regards,

                         

                        Dave.

                        • 9. Re: SG310 route drops and does not re-establish

                          Once you register your unit at

                           

                          http://my.securecomputing.com

                           

                          You can lodge a support ticket via the support portal accessed via the Mcafee Web site, and use the Grant ID supplied to you for support eligibility.