Solved

TMG 2010 is not able access other network

Posted on 2014-11-20
3
191 Views
Last Modified: 2014-12-05
We have a Windows Server 2008 VM running Microsoft Threat Management Gateway (TMG) 2010.
It is not able to ping a set of  172.16.X.X default gateways on our network.

The Network Topology Routes and Active Server Routes show the appropriate subnets and next hop.
The next hop (Vyatta) has the proper entries. I know this because we also have a sonicwall that pings to the 172.16.X.X subnets just fine and its next hop is the Vyatta as well.

See picture for ping paths.
Only pertinent entries were labeled.
Ping-Path.png
Troubleshooting already performed:
-Rebooted TMG twice
-Removed routing entries and entered them again
-Ensured that the 172.16.X.X subnets are fully allowed to talk back and forth to the TMG LAN network.
-Looked for info on the internet related to this issue (no luck so far)

Note: TMG used to be the default gateway for the 172.16.X.X interfaces until I got a new Layer 3 solution and then deleted the interfaces from the server and VM. I spoke to VMware yesterday and they said from their end, there isn't anything hung up in the VM. I am partially thinking that TMG has something hung up in it about the old default gateways and won't go out to the appropriate next hop when looking for the 172.16.X.X subnets.

Any help would be appreciated.
Ping-Path.png
0
Comment
Question by:Paul Wagner
3 Comments
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 125 total points
ID: 40456855
First thing - to talk FROM TMG itself you need to set source to Localhost instead of the Internal ranges on TMG in any rule you make to allow traffic from it.

Second, I cant see a 10.50.0.0/16 address on the L3 device.
0
 
LVL 3

Accepted Solution

by:
Barry Molenwijk earned 375 total points
ID: 40464585
Your NEXT HOP (I assume that's your gateway) on Vyatta and the TMG are different.

On Vyatta it's 10.0.1.50 and on the TMG it's 10.0.1.0. What you could do is add a persistent route which routs traffic to 172.16.2.0/24 and 172.16.3.0/24 out of the NIC that's connected to gateway 10.0.1.50.

route -p add 172.16.2.0 MASK 255.255.255.0 10.0.1.50
route -p add 172.16.3.0 MASK 255.255.255.0 10.0.1.50

That should work if 10.0.1.50 is your gateway.
0
 
LVL 4

Author Closing Comment

by:Paul Wagner
ID: 40483325
Both suggestions kind of led me to the solution. It turns out the some of the subnets had duplicate route entries. The TMG GUI looked fine but when I did a "route print" from the command line, the subnets had a route for the internal interface and a route for the WAN interface. Half the packets were going out the WAN!

I entered the command like this to fix it:
(only an example)
route delete 172.16.2.0 & route add 172.16.2.0 mask 255.255.255.0 10.0.1.1 -p

172.16.2.0 is the destination
255.255.255.0 is the subnet mask
10.0.1.1 is the next hop gateway
-p makes the route persistent and stores it in the registry

by deleting and adding the route in the same command, it ensures that any current connections are not lost.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2 VGA on VM 3 40
Sonicwall blocks a site 49 52
vmdk greater than 2TB 2 20
vmware 5.5 1 33
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Teach the user how to rename, unmount, delete and upgrade VMFS datastores. Open vSphere Web Client: Rename VMFS and NFS datastores: Upgrade VMFS-3 volume to VMFS-5: Unmount VMFS datastore: Delete a VMFS datastore:
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now