Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 12790 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to scan from AIO Printers after XG 85 added to network

Jim Walls

We recently added a XG 85 to our network in Bridge mode, utilizing only LAN Port 1 and Wan Port 2 and we now find that we are unable to initiate a scan from any of our AIO printers from the Scan button on the AIO's.

This behavior is true whether the AIO is attached via USB or AP (on our wireless router not the XG - not being utilized at all).

We can initiate a scan from the computer just not from the AIO.

The XG 85 is AS-IS from the factory in respect to all setting with the exception of the Network addressing being modified to match our network.

I can remove the XG and the AIO's function normally, add the XG back in and its NO GO.

 

Any ideas?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Jim Walls

    Hey  

    Thank you for providing those screenshots. When you perform a packet capture on the GUI of your XG, which firewall rule policy is your AIO scan traffic being matched to? Are there any messages provided?

    Also for troubleshooting purposes, for your default network policy LAN to WAN, could you try to isolate which feature may possibly be causing this scan issue by individually turning off "Scan HTTP" or IPS and testing to verify if your scan is still having issues?

    Thanks,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    Looks like traffic from the AIO Printer @ 192.168.4.221 (Source) sending to PC @ 192.168.4.15 (Destination) is matching only Rule 1 at any point.

    I have temporarily disabled “ScanHTTP” and the IPS policy to run the following Packet Capture.

    I ran a packet capture from AIO @ 192.168.4.221 to PC @ 192.168.4.15 with 2 Violations showing (Both showing the same details):

    2018-03-05 15:58:43

    Port2

    Port1

    IPv4

    192.168.4.221

    192.168.4.15

    UDP

    48785,54925

    0

    Violation

    Firewall

     

    Packet Information

    Ethernet Header

    Source MAC Address:00:80:92:8a:54:ff

    Destination MAC Address: bc:30:5b:be:c5:aa

    Ethernet Type IPv4 (0x800)

     

    IPv4 Header

    Source IP Address:192.168.4.221

    Destination IP Address:192.168.4.15

    Protocol: UDP

    Header:20 Bytes

    Type of Service: 0

    Total Length: 148 Bytes

    Identification:5814

    Fragment Offset:0

    Time to Live: 64

    Checksum: 55654

     

    UDP Header:

    Source Port:48785

    Destination Port: 54925

    Length: 128

    Checksum: 33703

     

     

    Hex & ASCII Detail

     

    0x0000: 4500 0094 16b6 0000 4011 d966 c0a8 04dd E.......@..f....        0x0010: c0a8 040f be91 d68d 0080 83a7 0200 7430 ..............t0        0x0020: 5459 5045 3d42 523b 4255 5454 4f4e 3d53 TYPE=BR;BUTTON=S        0x0030: 4341 4e3b 5553 4552 3d22 4a55 4459 2d50 CAN;USER="JUDY-P        0x0040: 4322 3b46 554e 433d 4649 4c45 3b48 4f53 C";FUNC=FILE;HOS        0x0050: 543d 3139 322e 3136 382e 342e 3135 3a35 T=192.168.4.15:5        0x0060: 3439 3235 3b41 5050 4e55 4d3d 353b 5031 4925;APPNUM=5;P1        0x0070: 3d30 3b50 323d 303b 5033 3d30 3b50 343d =0;P2=0;P3=0;P4=        0x0080: 303b 5245 4749 443d 3431 3935 323b 5345 0;REGID=41952;SE        0x0090: 513d 373b Q=7;

     

     

    Scan from AIO to PC is still a NO Go.

    However, as long as the scan is initiated form the PC the scan works.

     

    I did have to take 1 AIO/PC and switch it over to a USB connection to meet User needs today and for some reason that involved me having to reinstall the Printer Software/Drivers which seems odd but was the only solution I could come with.

  • 0 in reply to Jim Walls

    Hey  

    That packet capture showing the violation, looks to be for Port 2 (WAN) AIO Printer @ 192.168.4.221 (Source) to Port 1 (LAN) PC @ 192.168.4.15 (Destination) traffic. If I re-call correctly, you only had a LAN to WAN rule? This may be why your only able to Scan when the PC initiates (LAN to WAN).

    It seems that your AIO printer is configured in your Port 2 (WAN) zone, and the firewall is dropping this initiated traffic to Port 1 (LAN) due to a firewall rule not existing to allow this.

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    I have created a WAN to LAN User Rule.

    Have tried it with Scan HTTP enabled and disabled.

    Have tried it with nothing under Advanced and with my current settings of:

     Intrusion Prevention - WAN TO LAN

    Traffic Shaping Policy - None

    Web Policy - Default Workplace Policy

     

    Still not having any luck with the initial AIO's.

    I did however try a new AIO that previously was on USB and have partial success with it. The only way it will work going from AIO to PC is if I am utilizing WSD ports as opposed to an IP address. But it has proven to be a bit temperamental.

     

    attached is the WAN TO LAN rule.

  • 0 in reply to Jim Walls

    Found a solution for one of the AIO's - an Epson WF-7520.

    Using the default #Default_Network_Policy in Firewall Rules the NAT Masquerading was the issue.

    Disabled it and the Epson worked right off.

     

    Still no solution for Brother J6710DW and the others I may just leave on USB for the time being.

  • 0 in reply to Jim Walls

    I seem to have stumbled into a fix. I cannot say which of these changes served as my solution, for now I am unable to undo the changes and duplicate the AIO to PC failures.

    Addressing another issue, "MY Ebay" being blocked under IPS Policy Risky I implemented this fix: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/92309/unblocking-a-category/334092 (which seems like it should be unrelated to me)

    and at the same time had removed the Scan HTTP from the "Default_Network_Policy" and then re-enabled (again which seems like it should be unrelated to me).

    I can't recall making any other changes but I was in and out of several different screen in several different areas, so it may have been something else.

     

    At any rate, it was after this series of changes that the AIO's were finally able to initiate and process a scan from the AIO to the PC. Prior, the AIO's were unable to make and complete the process. My review of the "Packet Captures" did not reveal any violations that I could find, or any other blocked activity - but I am a noob in this area.

    So not sure if I can tag anything as a solution as of yet.