Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 2191 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troubleshooting blocked connections

Garth Kirkwood

Inn my Home Lab I hand migrated from UTM to XG and was extremely pleased with the speed increase I got on my connection, unfortunately everything has not be peachy.

I am finding it much more difficult to troubleshoot connections that don't work. In my UTM days I could see it blocked either through the Firewall or the Web filter would have dropped packets, but in XG there is nothing.

An example today my Daughter through Facebook Messenger sent my wife and I a Video Chat request, we could accept the chat but then after a moment it would drop the connection. To get it to work I had to turn on my FW rule that allows everything out from the LAN to the WAN.

With this rule active I turned on Logging and found that it worked without issue. And now researching for this post I found that there are three (3) ports used that were NEVER blocked previously. I found that with the logging on Ports 3478, 5222 & 40002 with my Wife's phone it worked, but there was no additional logging for my desktop and now it worked.

This is only one example of how confusing it is to troubleshoot connectivity issues.

Another "block" is my Wireless Access Points are on a separate VLAN to the controller and packets from the WAPs to the Controller are dropped even with a firewall rule with this logged:

Invalid Traffic
Denied
  
N/A
0
    
192.168.254.149
192.168.72.33
47278
8080
TCP
0
01001
Open PCAP
Could not associate packet to any connection.

I don't care  that my firewall cannot associate the packet, I just want it to send it through, DON'T touch it.

Thus I has two issues, how do I find where the FW is blocking stuff and how do I get my FW to just forward traffic without touching it?

 

Cheers



This thread was automatically locked due to age.
  • 0

    Hi,

     the easy bits first, you can ignore that error message because that is a connection that has been closed.

    You need to check the log viewer and add a filter for your firewall rule to see which ports are used and then limit the services to them only.

    The WAPs are they Sophos or another company?

    Ian

  • 0 in reply to rfcat_vk

    The WAPs are from a different company and have nothing to do with the XG itself and I did research and find that the message can be ignored but it is clogging up my log. I get that there is no connection, but I have told my FW that I am okay with the WAP sending the packet to the Controller, thus DON'T TOUCH IT! But alas it does and blocks.

    This was never an issue on my UTM, and yes I get there is a difference in detections between UTM and XG.

    I get about filters in the log, but I may not have been clear.

    • Facebook Messenger video chat has always worked, today it didn't.
    • I had two (2) devices, my wife's phone and my desktop attempt connect to an outside user and it didn't work.
    • Opening up Everything, FW rule, allowed the connection to work.
    • Checking the log, my wife's phone needed the extra ports as I indicated.
    • My desktop just worked, it did not use any extra ports.

    Thus my questions still remains, there were NO ports showing as blocked in the Log, they only showed up once I opened up my FW.

    Ian I appreciate your time to post, but this does not help me diagnose issues that DON'T show anything in the logs.

  • 0 in reply to Garth Kirkwood

    Hi Garth,

    pease sears the XH forums for threads on allowing facebook to work through the XG.

    Please find below my exception list.

    You can disable the logging of those errors if you find they are a problem.

    The XG is probably not blocking the ports but your software is failing a security check eg you have decrypt HTTPS enabled. Yes, the XG logging is very poor and makes debugging difficult.

    Are the phones using VoIP?

    Finally please post a screenshot of your expanded firewall rules to assist the forum with debugging.

    Ian

  • 0 in reply to rfcat_vk

    Ian, there is nothing wrong with access to Facebook itself, that is not the problem and I never said that was the issue, you are diluting topic.

    I simply used my issue this morning to highlight a problem I am having to solve access issues, no mention of FB access or VoIP issues.

    With the WAPS with the internal rules that relate there is absolutely NO filtering, no decryption, I just want it to route from here to there do NOTHING else with the traffic.

    Why do I need to post of screenshot of my FW rules, I can find a port that is blocked and adding that to a rule is simple enough. I am trying to find a why to properly diagnose blocking issues.

    I appreciate your time and acknowledgement of the XG logging issues, but I am trying to find any help I can on tracking down "roadblocks" on my network.

     

    Cheers

  • 0 in reply to Garth Kirkwood

    Hi Garth,

    sorry I am not diluting the subject, you complained about facebook messenger so I added some information that might help you.

    You said the phones didn't work as expected so I asked some question s about your phones.

    You have asked for help with your WAPS, so please make u your mind what you actually want help with.

    I suggest you read the KBAs on CLI commands that will give access to other reports/results.

    Ian

  • 0 in reply to rfcat_vk

    Okay I will address each of you points:

    "Complained about messenger", this is not accurate, I used it as an example ONLY to illustrate my point about how my XG doesn't log blocked points, but when I log and allow all traffic new ports appear.

    "phones didn't work", I mentioned that in context with using Facebook messenger, FB Messenger does not equal VoIP. One of the ports I mentioned is the STUN port but again that is for illustration purposes only.

    "asked for help with your WAPS", I never asked for help with the WAPS themselves, I asked for help with an entry in my FW log that is generated by WAPS when they are trying to talk to the controller that the XG is blocking.

    "read the KBAs on CLI commands", are there any you could suggest that I look at in particular?

    Again I appreciate you taking the time to read and reply to my posts, the crux is that I only need help with the XG and traffic blocking issues.

    Thanks

  • 0 in reply to rfcat_vk

    Thanks for that, funnily enough I was reading the PDF version of that at the time you posted your message as I was trying to resolve another issue.

     

    Here is another really simple example of what is happening:

    • From PC 192.168.254.xx to Camera 192.168.72.xx
    • No access, NOTHING in the Firewall log.
    • Create a FW Rule to allow access and log traffic
    • Works a treat

    So why then when I didn't have the FW rule in place, the FW log didn't display anything relating to me trying to access the Camera.

    Something this simple shouldn't be this hard.

  • 0 in reply to Garth Kirkwood

    Hi Garth,

    firstly does your PC know what to do with that network, try a tracert and see what the result is?

    Ian

  • 0 in reply to rfcat_vk

    With the rule off it goes to the gateway address and the requests just time out.

    With the rule on goes to the gateway and then the Camera.

     

    That confused me, what does a FW rule have to do with routing?

     

    From my understanding a FW rule is simply giving permission to go from one network to the other using the open ports. Is this another XG anamoly?