Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 14712 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid traffic violation even with proper rules applied

Lubomir Klas

Hello,

 

I have a problem with communication between two servers? My firewall is rejecting packets as seen from the picture. Due to this reason both sides cannot exchange MS SQL data. Ping is also functional only from 172.21.17.50, but not reverse. I checked the wireshark on the Windows Server(172.21.17.50) and ICMP replies are sent during ping, but they are not reaching the destination(Linux 192.168.12.46). See second picture.

As you can see there is one allowed communication using rule 41. 

I relly don't know what is the cause of this, could you please anyone help?

Note: I have migrated from UTM to XG. It worked on UTM with no problem.

 

THanks

 

Lubomir Klas



This thread was automatically locked due to age.
Parents
  • 0

    Hi Lubomir,


    One thing is pretty clear, that ping is working and in this rule, services are already allowed as "ANY". So need to investigate where the traffic gets dropped. We need some information to assist you on this :


    1) Can you please share the snapshot of the Network > Interface ?

    (In case any Alias are configured, ensure that we are able to see all the settings in that snapshot)

    2) In case those two networks 172.21.17.50 and 192.168.12.46 are not configured on Firewall interface directly, also share the snapshot of the Static Route configuration.

    3) Take drop packet capture from the SSH access :


    drop-packet 'host 192.168.12.46 or host 172.21.17.50 and port 1433

    Share this complete output when you initiate the traffic. 

    Based on this information, we will be able to assist you further.

    Regards,

    Resolution24x7

  • 0 in reply to Resolution 24x7

    Hello,

     

    I'm sending the information you requsted. Output from router is in attachment.

     

     

    5758.Drop Packet.txt

    Thanks

     

    Lubo

  • 0 in reply to Lubomir Klas

    Hi Lubo,

    I would request you to create one more rule that allows the connection from the specific initiator to the specific responder.

    1) Try with NAT/Without NAT MASQ in that rule. Ensure that the rule is on the top.

    2) Also, you may flush the conntracks before proceeding with this activity using below command :

     console > sys dia utili connections v4 delete dest_ip 192.168.12.46
     console > sys dia utili connections v4 delete src_ip 192.168.12.46
     console > sys dia utili connections v4 delete src_ip 172.21.17.50
      console > sys dia utili connections v4 delete dest_ip 172.21.17.50

    Initiate the requests on ping and on required port 1433.


    3)  Now when after you initiate the ping and then the traffic on port 1433, enter below command to get the status of those connections : (as ping is working)

     console > sys dia utili connections v4 show dest_ip 192.168.12.46
     console > sys dia utili connections v4 show src_ip 192.168.12.46
     console > sys dia utili connections v4 show src_ip 172.21.17.50
      console > sys dia utili connections v4 show dest_ip 172.21.17.50

    Hope it helps !

    Regards,

    Resolution24x7

  • 0 in reply to Resolution 24x7

    Hello,

    this doesn't work for me. Still, ping is working only from 172.21.17.50, not in reverse.

    And using port 1433 does not work either.

    I have no clue what to do. :(

     

    Thanks

     

    Lubo

  • 0 in reply to Lubomir Klas

    Most likely Port 1433 is blocked because of the application running there not XG. Thats invalid traffic blocks after the connection is already closed. So basically XG forwards the packet, the server closes the connection with multiple packets XG blocks those multiple packets (and forward one close packet). 

    You should investigate the application itself. 

Reply
  • 0 in reply to Lubomir Klas

    Most likely Port 1433 is blocked because of the application running there not XG. Thats invalid traffic blocks after the connection is already closed. So basically XG forwards the packet, the server closes the connection with multiple packets XG blocks those multiple packets (and forward one close packet). 

    You should investigate the application itself. 

Children
No Data