This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Maarten_Sjouw
Champion
Champion
‎2020-08-04 06:15 AM

Maestro SG Missing OS route

We are having some problems with our VSX gateway in a Maestro setup. One of the VS's is setup as a VPN concentrator on a dedicated customer network and the other interface has a connection to some backend servers.

On a customer site there is a box that runs a Cloudguard IAAS version of a gateway that is connected to the smae dedicated customer network and will initiate the tunnel.

Hardware: MHO140, thsi SG has 1 x 5800 gateway

R80.20SP with JHF 258

VS VPN-concentrator has IP 1.5.1.2

Cloadguard GW has IP 2.4.5.50 but has link selection set to static nat to IP 1.5.1.137

Packets arriving at the VS are dropped with the message in the log: Missing OS route

fw ctl zdebug drop shows this message:

fw_first_packet_outbound_init Reason: failed to get outbound interface;

Packet trace from the vs0 shows packets :

Inbound packet:

BPEth0[in ]: vlan 3620, p 0, ethertype IPv4, 1.5.1.137.10400 > 1.5.1.2.500: isakmp: phase 1 I #34[]
bond1.614[in ]: 1.5.1.137.10400 > 1.5.1.2.500: isakmp: phase 1 I #34[]

Outbound packet:

wrp321[out]: 1.5.1.2.500 > 1.5.1.137.500: isakmp: phase 1 I #34[]
wrpj321[in ]: 1.5.1.2.500 > 1.5.1.137.500: isakmp: phase 1 I #34[]
bond1.614[out]: 1.5.1.2.500 > 1.5.1.137.500: isakmp: phase 1 I #34[]
bond1[out]: 1.5.1.2.500 > 1.5.1.137.500: isakmp: phase 1 I #34[]
eth1-10[out]: 1.5.1.2.500 > 1.5.1.137.500: isakmp: phase 1 I #34[]
BPEth0[out]: vlan 1033, p 0, ethertype IPv4, 1.5.1.2.500 > 1.5.1.137.500: isakmp: phase 1 I #34[]
ethsBP1-01[out]: vlan 1033, p 0, ethertype IPv4, 1.5.1.2.500 > 1.5.1.137.500: isakmp: phase 1 I #34[]

All I can find with the failed to get outbound interface message was a SK about a bridged interface and a normal interface communication that was not properly working after an upgrade.

Regards, Maarten
0 Kudos
2 Replies
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2020-08-04 09:50 AM

Hi Maarten,

Usually this kind of message is a result of interface being down. Because this is a VS there could be some corruption in the VS itself. As the first step verify that the interfaces are up. Push configuration to the VS again (open the VS and hit ok) and install policy. If the problem persists, I would open an SR (try rebooting the gateway as well).

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-08-04 10:21 AM
In response to Lari_Luoma

I had restarted the VS separately and I also restarted the complete VSX gateway, but it did not help.

One of my colleagues was seeing a strange address in the route cache, after searching through the smartconsole for this address, he found there was a NAT for this address and the IP of the VS VPN Concentrator, as there was no default route, this address that was not in the routing table, could not be reached, hence the Missing OS route.

The NAT rule came from a policy that was imported a couple of months ago and overseen.

 

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events