Help Needed Converting KVM network Non-VLAN network to VLANs, odd

Hi! I apologize if this is not something I should have posted here, but I've come to value the insights and experience of the people on this list a lot, and I am hoping my problem isn't unique. I am also sorry for the long read. I have been to the forums of the devices in play in this problem, and while Red Hat has been a huge help, they all hand off when they hear about the other devices in play. Some background: I have a Sophos UTM ASG220 serving as gateway device for a number of networks, with a Cisco 2960 network switch, and a raft of Red Hat 6.6 servers running KVM and hosting multiple guests, with the guests being on different network subnets. The UTM has its LAN interface populated with multiple virtual interfaces (its really a stripped down, optimized RHEL-type Linux machine under the hood) as gateways for all the network subnets except for the primary network it was created with during installation. I have VLANs defined on the switch, and the KVM hosts are having bonded interfaces (mode 1, based on RHN support advice), VLAN sub interfaces and bridges configured for each network, and each guest is attached to its appropriate bridge and 8021q is setup. Without involving the UTM, VLAN traffic transverses beautifully, between swich, KVM hosts and guests, I have no issues there That said, this is what is happening: I am successful in generating new VLAN interfaces on the Sophos UTM (but with a different IP address) to replace the existing gateway virtual IP address (for instance, for test network, virtual interface gateway address is, and the VLAN interface to replace it is At first instance the guests and the kvm host are able to ping the switch, the newVLAN gateway interface and the old virtual gateway interface, after the VLAN is in place. But if I try to remove the old virtual interface (eg, then networking starts acting weird. The switch VLAN address (say isunable toping or reach the guests (say on the VLAN, but it can reach the kvm host vlan bridge (say address, and it can reach the Sophos gateway (,VLAN address). Even after bring the gateway virtual interface ( back up the situation remainsfor a while. The guests can reach each other on the same VLAN, but cannot ping the switch VLAN interface address, and cannot ping their VLAN gateway address, or route traffic to other external networks). But the guests can reach the LAN DNS servers, which are ona different subnet entirely (! But theguests also can only reach the DNS servers on the subnet, they cannot reach all the addresses. Arping responds to and from all network machines/devices while all this is going on. This continued for a while even after rebooting the switch, and bringing up and down the gateway network interfaces. Then suddenly things started working again (but with the gateway virtual and VLAN addresses both up).I am successful in generating anew VLAN interface (but with a different IP address) to replace the existing gateway virtual IP address (for instance, for test network, virtual interface gateway address is, and the VLAN interface to replace it is At first instance the guests and the kvm host are able to ping the switch, the newVLAN gateway interface and the old virtual gateway interface, after the VLAN is in place. But if I try to remove the old virtual interface (eg, then networking starts acting weird. The switch VLAN address (say isunable toping or reach the guests (say on the VLAN, but it can reach the kvm host vlan bridge (say address, and it can reach the gateway (,VLAN address). Even after bringing the gateway virtual interface ( back up the situation remains for a while. The guests can reach each other on the same VLAN, but cannot ping the switch VLAN interface address, and cannot ping their VLAN gateway address, or route traffic to other external networks). But the guests can reach the LAN DNS servers, which are on a different subnet entirely (! The guests also can only reach the DNS servers on the subnet, they cannot reach all the addresses. Arping responds to and from all network machines/devices while all this is going on. This continued for a while even after clearing the arp-caches, rebooting the switch, and bringing up and down the gateway network interfaces. Then suddenly things started working again (but with the gateway virtual and VLAN addresses both up). I'd love some insight to what's happening and how I can fix this.
participants (1)
Sina Owolabi