Re: SMB 1550 Probing failed / GAiA access problems

Hindrich · ‎2023-08-31

Hi,

I am currently facing different issues with a SMB 1550 appliance.

Quick info on the config, version and infrastructure.

The gateway has 2 WAN links configured. One on port WAN (fallback) and one on port LAN5 (main). We have a site-to-site VPN from the appliance to our maestro. The VPN is configured for high availability. Encryption Method is IKEv2.

The current firmware version of the SMB is R81.10.05.

First issue is that the fallback connection is always down. The error message is "In progress - gateway probing failed". After disabling and re-enabling the connection, it works for a few minutes. Then it returns to the same state as before. The provider says the WAN connection seems fine. I've also tried to reconfiguring the link, with no improvement. In SmartConsole, both WAN links are shown as internal, on all other devices that are working, the WAN connections are shown as external networks. I dont think this should be the case.

Second issue may be or not be a VPN problem, i cant tell. I cannot access the GAiA over VPN, SSH over VPN is working fine. Web interface takes forever to load. So it is theoretically reachable, but you cannot log in or do anything with it. When I try to access GAiA over the internet from our public network, I can connect to the GAiA portal. Also all employees in the office can work as usual. This means they can access all resources through VPN from our head office.

If you need any more information, I will try to give it to you.

Best regards.

PhoneBoy · ‎2023-08-31

I believe all the probing is done by pinging the default gateway.
I recommend monitoring the secondary WAN link with tcpdump to see exactly what’s going on.

tcpdump can also be used to troubleshoot the second issue as well.
Note that the gateway IP is considered part of the encryption domain, so the traffic may be sent via IPsec instead of direct.

Hindrich · ‎2023-10-25

Hi PhoneBoy,

I have not seen your answer. Sorry for that.

I fixed the GAiA access problem by routing the traffic past the vpn tunnel. (Port for GAiA excluded in VPN community)

The problem that the device is not pingable and the probing failed still exists. Tcpdump shows that no icmp packets from my client arrive at the Security Gateway. I also excluded icmp as a service in the VPN community for testing, after that the ping from my client worked. Seems like I am pinging the public ip through the vpn.

I also ping the WAN interface of Security Gateway from our Maestro. There I got an answer from the interface, but I do not see any traffic with tcpdump on the SG's WAN interface.

Do you have any idea why this is happening?

Best regards.

Chris_Atkinson · ‎2023-10-25

Are you still using R81.10.05 or have you upgraded since?

Additionally have you tested the Advanced option "Do not encrypt connections originating from the local gateway" ?

CCSM R77/R80/ELITE

Hindrich · ‎2023-10-25

Hi,

no, I have not updated the OS since then.

Also no.

Thanks for the input, I will test this and let you know how it goes.

Hindrich · ‎2023-10-26

Hi,

I've upgraded the Security Gateway to the latest version. It doesn't look like the upgrade has brought any improvement.

The advanced option "Do not encrypt connections originating from the local gateway" is not available on the SG because it is centrally managed.

PhoneBoy · ‎2023-10-26

That option is available in R81.20 Central Management, though (or it should be).

Are you a member of CheckMates?

SMB 1550 Probing failed / GAiA access problems