Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 4960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED Branches traffic drops due to firewall rule "0"

Arvin Carlos

Hello,

 

Kindly help us please, we have strange traffic drops on our RED branches, their connection to the HQ sometimes get through, and sometimes you need to wait for some times in other words it is erratic, I see these logs and I am very sure that the firewall  rule is implemented properly...can anyone please help...we are losing business and the branches are on my shoulder...

The rule: RED ZONE TO HQ LAN ZONE -> ANY SERVICE -ALLOWED (I created an any rule for troubleshooting purposes because maybe I miss some ports,  but still we are having the issue)

 



This thread was automatically locked due to age.
Parents
  • 0

    I would suggest to do a tcpdump on shell. Invalid traffic is an indicator for "communication works on layer 1-4 but not on layer 5-7". So maybe RDP is not working, because the RDP server is rejecting the clients. 

    Go to the shell - Press 5 --> 3 (advanced shell).

    tcpdump -ni any port 3389 and host 'Insert client IP' 

    Restart the RDP Session - You should see the packets coming and going.

    Post your output here and we try to help you understand, what is happing.

    But - tbh - if you have a critical case here - open a support case. 

  • 0 in reply to LuCar Toni

    Hi

     

    From Sophos Support; this is a known issue, as of now there is no ETA from the new firmware for the fix....we are using STAS for Web Proxy purposes, but some traffic rule is affected even the identity check is not enabled.

    It seems like the device is affected with the bug NC-26440.

    At the moment its resolution is provided in the below mentioned Kb article.

    -----------------------------------------
    Article ID: 125468
    Title: Sophos XG Firewall: Traffic dropped during user authentication
    URL: https://sophos.com/kb/125468

     

     

    console> drop-packet-capture 'host 192.168.229.2 and port 3389
    2018-07-09 15:48:03 0110021 IP 192.168.229.2.59550 > 192.168.10.5.3389 : proto T
    CP: S 1116920759:1116920759(0) win 8192 checksum : 52017
    0x0000: 4500 0034 3dfa 4000 7f06 4d71 c0a8 e502 E..4=.@...Mq....
    0x0010: c0a8 0a05 e89e 0d3d 4292 dbb7 0000 0000 .......=B.......
    0x0020: 8002 2000 cb31 0000 0204 0514 0103 0308 .....1..........
    0x0030: 0101 0402 ....
    Date=2018-07-09 Time=15:48:03 log_id=0110021 log_type=Firewall log_component=Ide
    ntity log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=r
    eds1 out_dev=Port1 inzone_id=8 outzone_id=1 source_mac=74:86:7a:62:3f:5a dest_ma
    c=00:a7:4e:2d:ee:8b l3_protocol=IP source_ip=192.168.229.2 dest_ip=192.168.10.5
    l4_protocol=TCP source_port=59550 dest_port=3389 fw_rule_id=3 policytype=1 live_
    userid=0 userid=65535 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=
    0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_fil
    ter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn
    _classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gatew
    ay_offset=0 max_session_bytes=0 drop_fix=0 ctflags=8 connid=3606982720 masterid=
    0 status=256 state=1 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A t
    ran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2018-07-09 15:48:06 0110021 IP 192.168.229.2.59550 > 192.168.10.5.3389 : proto T
    CP: S 1116920759:1116920759(0) win 8192 checksum : 52017
    0x0000: 4500 0034 3dfe 4000 7f06 4d6d c0a8 e502 E..4=.@...Mm....
    0x0010: c0a8 0a05 e89e 0d3d 4292 dbb7 0000 0000 .......=B.......
    0x0020: 8002 2000 cb31 0000 0204 0514 0103 0308 .....1..........
    0x0030: 0101 0402 ....
    Date=2018-07-09 Time=15:48:06 log_id=0110021 log_type=Firewall log_component=Ide
    ntity log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=r
    eds1 out_dev=Port1 inzone_id=8 outzone_id=1 source_mac=74:86:7a:62:3f:5a dest_ma
    c=00:a7:4e:2d:ee:8b l3_protocol=IP source_ip=192.168.229.2 dest_ip=192.168.10.5
    l4_protocol=TCP source_port=59550 dest_port=3389 fw_rule_id=3 policytype=1 live_
    userid=0 userid=65535 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=
    0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_fil
    ter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn
    _classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gatew
    ay_offset=0 max_session_bytes=0 drop_fix=0 ctflags=8 connid=1375626880 masterid=
    0 status=256 state=1 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A t
    ran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

     

  • 0 in reply to Arvin Carlos

    I've ended up defining  the RED branches IP addresses range on Authentication --> Clientless Users, I wish Sophos will have a solution on the future for this bug.

Reply Children
No Data