Sophos LAG to Cisco Issue

network-noob · 2023-05-02T13:53:58.000Z

Hi I am currently experimenting on lab to use LAG on Sophos to Cisco using Layer 3.
My topology:

INTERNET —> SOPHOS (port 3-4 LACP LAG) ====== (LACP Auto)Cisco Router ----> PC

c09ae383-3f4c-4d78-93da-e3f2735497bd-sophos.jpg800×497 34.1 KB

And my Cisco

Now the cisco can PING the internet 8.8.8.8
But from PC i cannot ping 8.8.8.8 however i can ping Sophos.

I tried different channel group mode (e.g auto, active etc) none of these works and at best ‘mode ON’ worked. But i cannot still ping the internet.

Routing on CISCO:
ip route 0.0.0.0 0.0.0.0 10.10.20.1

Routing on Sophos:
10.10.10.0/24 Gateway:10.10.20.2 Port:LAG1

it’s definetly not routing i think cos when i tried without a LAG configuration (basic point to point) my pc can ping the internet. So why can’t i ping the internet in LAG from Sophos and Cisco?

@Sophos

jamespeterson5 · 2023-05-02T14:59:09.000Z

Could be the firewall is blocking ping, (it does even if allowed I have XG firewall and it regularly doesn’t allow pings or trace route from host on local network)

Try using nslookup instead

nslookup (enter)

Server 8.8.8.8 (enter)

then lookup a few websites ( such as google.com) and see if you get a response

taylorc · 2023-05-02T15:27:15.000Z

Also I would check with support if you have it. In the past when I have had to make changes, their support had to go in and make changes via CLI.

matt7863 · 2023-05-02T20:20:59.000Z

So have you created an interface on the router using the subnet 10.10.10.0/24 ? Do the PCs use this ip range (via dhcp etc) and have the router as their default gateway?
On Sophos have you added the subnet 10.10.10.0 to the lan zone and made sure it is included in the allowed rules and the nat configuration?

I would suspect the rules/na on the sophos as the issue. by default it will only be configured for the directly attached lan 10.10.20.0/24

Further advice - change to a /30 mask on the sophos to Cisco as it is point to point so there only needs to be one ip at each end.
Is it actually a layer 3 switch not a router?

network-noob · 2023-05-03T03:07:18.000Z

hi thanks for reply,
i am able to get it work and ping 8888 without using LAG in sophos and Portchannel in cisco.
However when i switch to LAG and portchannel… i can only ping sophos.

Does such rule in firewall exist for LAG and Portchannel? if so… how do i work around this

network-noob · 2023-05-03T03:11:18.000Z

Yes DHCP is created for 10.10.10.0/24 and PC gets the IP.
When im configuring without the LAG and Port channel interface i can get ping 8.8.8.8
It’s only when i change the interface to LAG and Portchannel i can only ping up to sophos.

And yes its a L3 switch as ive configured a point to point without LAG/Channelgroup and it works.

The rules for Sophos is that LAG is on LAN ZONE.
So there’s already a rule for LAN to WAN
“Source: LAN” → “Destination: WAN”

matt7863 · 2023-05-03T06:52:46.000Z

so without the LAG, but still with a routed link it works, like this
sophos 10.10.20.1 - switch 10.10.20.2 and PCs 10.10.10.0/24 ?

but add LAG and it fails?
does traceroute just timeout after sophos interface? what do the logs in sophos say happened to the packet? deny? or sent out wan?

Double check that 10.10.10.0 is included in LAN zone of sophos.

network-noob · 2023-05-05T14:01:20.000Z

yes without LAG with routed link it

sophos 10.10.20.1 - switch 10.10.20.2 and PCs 10.10.10.0/24
just as you have mentioned.

traceroute ends at sophos IP

10.10.10.0 is included in the LAN zone

spiceuser-9bjlx · 2024-10-20T09:30:15.832Z

let me know if your issue is not resolved