?
Solved

TMG 2010 is not able access other network

Posted on 2014-11-20
3
Medium Priority
?
207 Views
Last Modified: 2014-12-05
We have a Windows Server 2008 VM running Microsoft Threat Management Gateway (TMG) 2010.
It is not able to ping a set of  172.16.X.X default gateways on our network.

The Network Topology Routes and Active Server Routes show the appropriate subnets and next hop.
The next hop (Vyatta) has the proper entries. I know this because we also have a sonicwall that pings to the 172.16.X.X subnets just fine and its next hop is the Vyatta as well.

See picture for ping paths.
Only pertinent entries were labeled.
Ping-Path.png
Troubleshooting already performed:
-Rebooted TMG twice
-Removed routing entries and entered them again
-Ensured that the 172.16.X.X subnets are fully allowed to talk back and forth to the TMG LAN network.
-Looked for info on the internet related to this issue (no luck so far)

Note: TMG used to be the default gateway for the 172.16.X.X interfaces until I got a new Layer 3 solution and then deleted the interfaces from the server and VM. I spoke to VMware yesterday and they said from their end, there isn't anything hung up in the VM. I am partially thinking that TMG has something hung up in it about the old default gateways and won't go out to the appropriate next hop when looking for the 172.16.X.X subnets.

Any help would be appreciated.
Ping-Path.png
0
Comment
Question by:Paul Wagner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 375 total points
ID: 40456855
First thing - to talk FROM TMG itself you need to set source to Localhost instead of the Internal ranges on TMG in any rule you make to allow traffic from it.

Second, I cant see a 10.50.0.0/16 address on the L3 device.
0
 
LVL 3

Accepted Solution

by:
Barry Molenwijk earned 1125 total points
ID: 40464585
Your NEXT HOP (I assume that's your gateway) on Vyatta and the TMG are different.

On Vyatta it's 10.0.1.50 and on the TMG it's 10.0.1.0. What you could do is add a persistent route which routs traffic to 172.16.2.0/24 and 172.16.3.0/24 out of the NIC that's connected to gateway 10.0.1.50.

route -p add 172.16.2.0 MASK 255.255.255.0 10.0.1.50
route -p add 172.16.3.0 MASK 255.255.255.0 10.0.1.50

That should work if 10.0.1.50 is your gateway.
0
 
LVL 5

Author Closing Comment

by:Paul Wagner
ID: 40483325
Both suggestions kind of led me to the solution. It turns out the some of the subnets had duplicate route entries. The TMG GUI looked fine but when I did a "route print" from the command line, the subnets had a route for the internal interface and a route for the WAN interface. Half the packets were going out the WAN!

I entered the command like this to fix it:
(only an example)
route delete 172.16.2.0 & route add 172.16.2.0 mask 255.255.255.0 10.0.1.1 -p

172.16.2.0 is the destination
255.255.255.0 is the subnet mask
10.0.1.1 is the next hop gateway
-p makes the route persistent and stores it in the registry

by deleting and adding the route in the same command, it ensures that any current connections are not lost.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If we need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB. Just connect to vCenter DB(default DB should be VCDB and using…
In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question