Obi behind Sophos UTM not working

Rinchen · February 05, 2013, 09:53:46 AM

Hi,

Ever since I updated to 3.0.1 (Build: 3722) the obitalk portal has not been updating. It shows my unit as offline (but it's not and I can still make calls) and in need of a firmware update.

I've gone through all the firewall logs and nothing is being blocked (not that anything has changed either).

I've done a network reset on the unit but that didn't help.

Joey

Rinchen · February 05, 2013, 09:56:16 AM

ps. I don't know if this is normal or not because I've never paid attention to it before:

Status Backing Off;ex-addr=10.10.10.147:10000

that's obviously my internal address not a public ip.

The provisioning line is:
SYNC -A=aes -K=$SPRM0 -IV=$SPRM1 http://prov.obitalk.com/obhsnprov/profiles/9cadef200d2f-8c8b8711576a.cfg; IF ( $TPRM0 != 1 ) -T=TPRM1 https://prov.obitalk.com/obhsnprov/init/initkey; IF ( $TPRM0 == 1 ) -T=TPRM1 http://prov.obitalk.com/obhsnprov/sync/sync-$SPRM2

QBZappy · February 05, 2013, 11:03:54 AM

Rinchen,

If you have tried everything else, the last resort is to delete the device from the portal and start over. In the past this has fixed things.

Rinchen · February 05, 2013, 11:18:38 AM

Thanks. Right as you were posting I was thinking, gosh, my 110 works... Turns out it's on my old static IP run which bypasses the firewall. I hooked up the 202 to that line and it registered immediately. Looks like I'll have to see about DMZ'ing the 202 internally.

Rinchen · February 05, 2013, 11:44:48 AM

This is a real puzzler. Both the 202 and Obion appear to be affected behind the Sophos UTM. There are zero logs with the IP addresses in them. I've turned whole subsystems off. I've gone so far as doing a 1:1 NAT for the protocols and that didn't work either.

QBZappy · February 05, 2013, 11:58:56 AM

Can you completely disable the Sophos UTM to confirm that it is not interfering?

Rinchen · February 05, 2013, 12:06:23 PM

Not software-wise. I have to put the 202 on a different ethernet loop and on that it does work.

Not working:

202 -> desk switch -> intranet switch -> sophos -> modem switch -> modem
ObiOn -> AP -> intranet switch -> sophos -> modem switch -> modem

Working:

202 -> floor switch -> modem switch -> modem
ObiOn - as above except with VPN turned on which creates a tunnel through my local network

Because I can't find any logs about what's happening it's hard to troubleshoot.

QBZappy · February 05, 2013, 12:22:04 PM

Quote from: Rinchen on February 05, 2013, 12:06:23 PM
Working:

202 -> floor switch -> modem switch -> modem
ObiOn - as above except with VPN turned on which creates a tunnel through my local network

Because I can't find any logs about what's happening it's hard to troubleshoot.

Seems you fixed it using this topology. Any reason why it can not stay that path?

Rinchen · February 05, 2013, 12:27:03 PM

Yes, the 202 is somewhere that doesn't have access to the ethernet loop that bypasses Sophos. Also the Obion client would still be broken. The wifi adapter for the 202 won't help because wifi is also behind Sophos.

I've opened up a forum post over at Sophos to see if they can help.

QBZappy · February 05, 2013, 12:38:48 PM

You might be needing this:
http://wiresharkdownloads.riverbed.com/wireshark/win32/WiresharkPortable-1.8.5.paf.exe

Rinchen · February 06, 2013, 01:30:57 PM

After a lot of help from Barry over at the Sophos forums, the answer is quite simple. Replace the DNS setting with the one specified in the Obi FAQ and it works WITHOUT any generic proxy (port forwarding) or DNAT/SNAT entries.

News:

Obi behind Sophos UTM not working