Solved

TMG 2010 is not able access other network

Posted on 2014-11-20
3
196 Views
Last Modified: 2014-12-05
We have a Windows Server 2008 VM running Microsoft Threat Management Gateway (TMG) 2010.
It is not able to ping a set of  172.16.X.X default gateways on our network.

The Network Topology Routes and Active Server Routes show the appropriate subnets and next hop.
The next hop (Vyatta) has the proper entries. I know this because we also have a sonicwall that pings to the 172.16.X.X subnets just fine and its next hop is the Vyatta as well.

See picture for ping paths.
Only pertinent entries were labeled.
Ping-Path.png
Troubleshooting already performed:
-Rebooted TMG twice
-Removed routing entries and entered them again
-Ensured that the 172.16.X.X subnets are fully allowed to talk back and forth to the TMG LAN network.
-Looked for info on the internet related to this issue (no luck so far)

Note: TMG used to be the default gateway for the 172.16.X.X interfaces until I got a new Layer 3 solution and then deleted the interfaces from the server and VM. I spoke to VMware yesterday and they said from their end, there isn't anything hung up in the VM. I am partially thinking that TMG has something hung up in it about the old default gateways and won't go out to the appropriate next hop when looking for the 172.16.X.X subnets.

Any help would be appreciated.
Ping-Path.png
0
Comment
Question by:Paul Wagner
3 Comments
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 125 total points
ID: 40456855
First thing - to talk FROM TMG itself you need to set source to Localhost instead of the Internal ranges on TMG in any rule you make to allow traffic from it.

Second, I cant see a 10.50.0.0/16 address on the L3 device.
0
 
LVL 3

Accepted Solution

by:
Barry Molenwijk earned 375 total points
ID: 40464585
Your NEXT HOP (I assume that's your gateway) on Vyatta and the TMG are different.

On Vyatta it's 10.0.1.50 and on the TMG it's 10.0.1.0. What you could do is add a persistent route which routs traffic to 172.16.2.0/24 and 172.16.3.0/24 out of the NIC that's connected to gateway 10.0.1.50.

route -p add 172.16.2.0 MASK 255.255.255.0 10.0.1.50
route -p add 172.16.3.0 MASK 255.255.255.0 10.0.1.50

That should work if 10.0.1.50 is your gateway.
0
 
LVL 4

Author Closing Comment

by:Paul Wagner
ID: 40483325
Both suggestions kind of led me to the solution. It turns out the some of the subnets had duplicate route entries. The TMG GUI looked fine but when I did a "route print" from the command line, the subnets had a route for the internal interface and a route for the WAN interface. Half the packets were going out the WAN!

I entered the command like this to fix it:
(only an example)
route delete 172.16.2.0 & route add 172.16.2.0 mask 255.255.255.0 10.0.1.1 -p

172.16.2.0 is the destination
255.255.255.0 is the subnet mask
10.0.1.1 is the next hop gateway
-p makes the route persistent and stores it in the registry

by deleting and adding the route in the same command, it ensures that any current connections are not lost.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
vmware application discovery and mapping 2 39
vdp backups are getting cancelled 7 87
cannot rename datastore 3 48
VMWare & 2008 R2 Domain Controllers 3 54
If we need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB. Just connect to vCenter DB(default DB should be VCDB and using…
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Teach the user how to use configure the vCenter Server storage filters Open vSphere Web Client:  Navigate to vCenter Server Advanced Settings: Add the four vCenter Server storage filters: Review the advanced settings: Modify the values of the four v…
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question