Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Paul_Starr
Participant

Office Mode IP requiring route to DG

One for oldskool IPSO heads.

Migrating from a cluster of old IP appliances to newer IP appliance models running IPSO 6.2 and R77.30.

Manually built the configuration of the newer models including all Interfaces, ARPs, VRRP.

No changes to the configuration or software versions have been applied so the only difference should be the physical firewalls.

The process of cutting over:
Remove older cluster NIC cable
Plug network NIC cables in to newer
Reset SIC on both devices
Push policy

The process work great apart from one issue.

Remote access clients which are given a Office Mode IP, authenticated correctly but after 16 seconds, receive 'reconnecting...' status which times outs and does not reconnected.
Attempting the again we get the same issues, authentication successful and then 16 secs 'reconnecting...'

I have been able to replicate this in a LAB (running Gaia) and believe I have resolved it by adding the Office Mode IP range as a static route out of the external interface.

Please note the live cluster (older models) does not have this route, however, when I receive netstat -rn or review the forwarding table with remote users connecting I can see indevidual host routes created as each user connects.
Whereas Voyager - Monitor > Route only shows me connected and static routes (not individual host routes, netstat> [IP of Office Mode host] unkn 30 [Default Gateway] dest 871 70 eth1c0).

I feel that there is something like a missing kernel parameter which injects this host routes.

Please also note there is not a summarised route for the office mode IP which would require a more specific route to the external. So the office mode should be hitting the Default gateway (external route).

Can anyone please confirm why is this route needed on my new cluster and not on the current older?
why are the host routes not dynamically created on the new newer cluster?

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

That's...bizarre. 

That said, it's not the first time I've seen a manually-added route fix a problem with NAT (which is what Office Mode is, in a manner of speaking).
Are you sure you're running the same IPSO builds/JHF levels on the old and new clusters?

And what are those? 
Also which appliance are you moving FROM and TO?

Also, it might be worth a TAC case to get some debugs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events