Sophos XG WAF & RDS 2019

Hi Guillaume POMENTE,

Thanks for reaching out to the Community! 

Could you please replicate the issue and provide the WAF(reverseproxy.log) logs via PM? 

Check out the following document for more detail:  Log file details

Thanks,

Hi,

Thank you very much for your response.

Please find bellow the log fail with the command tail -F /log/reverseproxy.log

[Mon Mar 29 09:33:51.802606 2021] timestamp="1617003231" srcip="92.184.112.247" localip="WAN IP" user="-" method="-" statuscode="408" reason="-" extra="-" exceptions="-" duration="9" url="-" server="-" referer="-" cookie="-" set-cookie="-" recvbytes="339" sentbytes="4931" protocol="HTTP/1.0" ctype="-" uagent="-" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="-"
[Mon Mar 29 09:33:52.270508 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="16620" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="805" sentbytes="5346" protocol="HTTP/1.1" ctype="194" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:52.395578 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="19298" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="560" sentbytes="4983" protocol="HTTP/1.1" ctype="4732" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:52.556032 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="58350" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="5009" sentbytes="334" protocol="HTTP/1.1" ctype="114" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:52.733368 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" duration="9434" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="1013" sentbytes="5712" protocol="HTTP/1.1" ctype="text/html" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="Ne+Zz8aiIxmU1Ze+G2uHCw==" websocket_version="13" ruleid="63"
[Mon Mar 29 09:33:53.276655 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="18060" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="477" sentbytes="414" protocol="HTTP/1.1" ctype="194" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:53.407892 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="19004" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="560" sentbytes="4983" protocol="HTTP/1.1" ctype="4732" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:53.654417 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" duration="7984" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="810" sentbytes="5769" protocol="HTTP/1.1" ctype="text/html" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:53.786373 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="-" duration="21208" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="1172" sentbytes="176" protocol="HTTP/1.1" ctype="-" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:53.903697 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_IN_DATA" statuscode="408" reason="-" extra="-" exceptions="-" duration="20115550" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="493" sentbytes="420" protocol="HTTP/1.1" ctype="text/html" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:34:16.020616 2021] [proxy_http:error] [pid 25647:tid 140701215864576] (104)Connection reset by peer: [client 92.184.112.247:59818] AH01110: error reading response
[Mon Mar 29 09:33:52.857323 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="-" duration="23163464" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="1375" sentbytes="167" protocol="HTTP/1.1" ctype="-" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="Ne+Zz8aiIxmU1Ze+G2uHCw==" websocket_version="13" ruleid="63"

Regards

Hi,

Thank you very much for your response.

Please find bellow the log fail with the command tail -F /log/reverseproxy.log

[Mon Mar 29 09:33:51.802606 2021] timestamp="1617003231" srcip="92.184.112.247" localip="WAN IP" user="-" method="-" statuscode="408" reason="-" extra="-" exceptions="-" duration="9" url="-" server="-" referer="-" cookie="-" set-cookie="-" recvbytes="339" sentbytes="4931" protocol="HTTP/1.0" ctype="-" uagent="-" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="-"
[Mon Mar 29 09:33:52.270508 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="16620" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="805" sentbytes="5346" protocol="HTTP/1.1" ctype="194" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:52.395578 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="19298" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="560" sentbytes="4983" protocol="HTTP/1.1" ctype="4732" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:52.556032 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="58350" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="5009" sentbytes="334" protocol="HTTP/1.1" ctype="114" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:52.733368 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="-" duration="9434" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="1013" sentbytes="5712" protocol="HTTP/1.1" ctype="text/html" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="Ne+Zz8aiIxmU1Ze+G2uHCw==" websocket_version="13" ruleid="63"
[Mon Mar 29 09:33:53.276655 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="18060" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="477" sentbytes="414" protocol="HTTP/1.1" ctype="194" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:53.407892 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" duration="19004" url="/KdcProxy" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="560" sentbytes="4983" protocol="HTTP/1.1" ctype="4732" uagent="kerberos/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:53.654417 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="-" duration="7984" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="810" sentbytes="5769" protocol="HTTP/1.1" ctype="text/html" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:53.786373 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_IN_DATA" statuscode="200" reason="-" extra="-" exceptions="-" duration="21208" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="1172" sentbytes="176" protocol="HTTP/1.1" ctype="-" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:33:53.903697 2021] timestamp="1617003233" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_IN_DATA" statuscode="408" reason="-" extra="-" exceptions="-" duration="20115550" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="493" sentbytes="420" protocol="HTTP/1.1" ctype="text/html" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="63"
[Mon Mar 29 09:34:16.020616 2021] [proxy_http:error] [pid 25647:tid 140701215864576] (104)Connection reset by peer: [client 92.184.112.247:59818] AH01110: error reading response
[Mon Mar 29 09:33:52.857323 2021] timestamp="1617003232" srcip="92.184.112.247" localip="WAN IP" user="-" method="RDG_OUT_DATA" statuscode="200" reason="-" extra="-" exceptions="-" duration="23163464" url="/remoteDesktopGateway/" server="PUBLIC DNS NAME" referer="-" cookie="-" set-cookie="-" recvbytes="1375" sentbytes="167" protocol="HTTP/1.1" ctype="-" uagent="MS-RDGateway/1.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="Ne+Zz8aiIxmU1Ze+G2uHCw==" websocket_version="13" ruleid="63"

Regards

Hi Guillaume POMENTE,

Thanks for providing the logs. Other than status code 408 and 401, there's nothing in the logs pointing us to the issue. 

Status code 401 indicates the request lacks valid authentication credentials for the target resource, and the 408 means server is closing the unused connection. 

I would suggest you run a packet capture on the XG firewall and the server to investigate this further. Capture packets on source public IP and internal server IP address. 

Check out the following KBA on how to run a packet capture on Sophos Firewall: 

• Sophos XG Firewall: How to capture packets and download the Packet Capture

Thanks,