Some packets in a split message not being received by device on RED network

If I connect the same client to the XG using an SSL VPN, the database connection works fine.  I see the same pattern of packets, with the 3 received and forwarded, but these make it through to the client over the SSL VPN, whereas the first 2 are lost via the RED.

Hi,

You can perform the same wireshark dump on the appliance to get a better understanding.

https://community.sophos.com/kb/en-us/127647

You would use tcpdump on the Shell (Advanced Shell) and tcpdump -b -w /tmp/dump.pcap    (please refer to the tcpdump manual for filters). 

Thanks for that ManBearPig - really useful info.

However, I've run the tcpdump on the XG and I'm no further on as it just sees the same pattern.  The XG receives the three packets forming the message and forwards them to the RED.  The next packet that the XG sees is the out of order ACK from the client as it responds to the third of three packets, which is the only one that reaches the client.

Is it possible to run a tcpdump on the RED itself?

Thanks for that ManBearPig - really useful info.

However, I've run the tcpdump on the XG and I'm no further on as it just sees the same pattern.  The XG receives the three packets forming the message and forwards them to the RED.  The next packet that the XG sees is the out of order ACK from the client as it responds to the third of three packets, which is the only one that reaches the client.

Is it possible to run a tcpdump on the RED itself?

You can perform a dump on RED with Red Debugging. Sophos Support can show you how to do it but it is a manual process with USB Stick etc. 

So better perform two dumps at the same time.

On LAN and RED interface.

tcpdump -ni redsX -b -w /tmp/red.pcap 

tcpdump -ni ethX -b -w /tmp/eth.pcap 

You can filter here with : host IP  or Port PortNumber 

http://www.tcpdump.org/manpages/tcpdump.1.html

Then download both dumps and check them. 

Plus a small Guide: 

community.sophos.com/.../how-to-tcpdump-on-xg

Cheers again ManBearPig.

The separate traces on the WAN and RED interfaces show the same thing - all three packets in that message get to my RED interface on the XG.  They still aren't received by the client, so I'm guessing that they must be discarded or lost by the RED itself.

I'll update the support ticket I have open with these results as well, as ask for guidance on debugging the RED.

Most of the time, this is not an RED issue. If the packet goes correctly to the RED Interface on XG, the packet will be transferred by the RED. But most of the time, the client does something wrong with this packet. 

You could confirm this with a wireshark dump on the client at the same time. But this dump has to be at the same time. 

I've been running the Wireshark trace on the client at the same time - the packet is just not seen on the client, it never seems to make it to the laptop's NIC.