Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 388 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TACACS+ Getting blocked by XG

Ben Sanderson

Setup TACACS+ on network - Setup Rules to permit by IP from Server Network to Switch Network - But getting Denied "Invalid TCP state" for port 49 on the firewall.

Policy Test Attached (Passed)

Firewall Logs Attached



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    How 172.16.14.xx and 172.16.1.x are connected? Are they located behind different ports of XG?

    Could you please check the packet flow in CLI?

    ==> Login to SSH > 5. Device Management > 3. Advanced Shell

    console> tcpdump 'host 172.16.1.1

    or

    console> tcpdump 'port 49

    ==> Check drop-packet-capture as well in other SSH session.

    console> drop-packet-capture 'host 172.16.1.1

    or

    console> drop-packet-capture 'port 49

  • 0 in reply to FormerMember

    Yash,

    Correct they are on two different interfaces on the Firewall, permitted by IP.

    Attached tcpdump and packet capture - it is showing it being forwarded, but firewall still shows the denied with the above error. 

    Fullscreen TCPDump.txt Download 
    XGS3300_RL01_SFOS 18.5.1 MR-1-Build326# tcpdump "port 49"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
10:26:58.190587 Port5, IN: ethertype IPv4, IP 172.16.1.1.45676 > 172.16.14.20.49: Flags [S], seq 701212836, win 4128, options [mss 536], length 0
10:26:58.190587 Port5.9, IN: IP 172.16.1.1.45676 > 172.16.14.20.49: Flags [S], seq 701212836, win 4128, options [mss 536], length 0
10:26:58.191077 PortF1.14, OUT: IP 172.16.1.1.45676 > 172.16.14.20.49: Flags [S], seq 701212836, win 4128, options [mss 536], length 0
10:26:58.191686 PortF1, IN: ethertype IPv4, IP 172.16.14.20.49 > 172.16.1.1.45676: Flags [S.], seq 2693352892, ack 701212837, win 29200, options [mss 1460], length 0
10:26:58.191686 PortF1.14, IN: IP 172.16.14.20.49 > 172.16.1.1.45676: Flags [S.], seq 2693352892, ack 701212837, win 29200, options [mss 1460], length 0
10:26:58.191932 Port5.9, OUT: IP 172.16.14.20.49 > 172.16.1.1.45676: Flags [S.], seq 2693352892, ack 701212837, win 29200, options [mss 1460], length 0
10:26:58.192356 Port5, IN: ethertype IPv4, IP 172.16.1.1.45676 > 172.16.14.20.49: Flags [.], ack 1, win 4128, length 0
10:26:58.192356 Port5.9, IN: IP 172.16.1.1.45676 > 172.16.14.20.49: Flags [.], ack 1, win 4128, length 0

  • FormerMember
    0 FormerMember in reply to Ben Sanderson

    Hi ,

    Could you please generate a packet capture file and share it in PM.

    Sophos Firewall: Create and download a packet capture

    Use below command in step 5 to capture the traffic:

    console> tcpdump filedump 'host 172.16.1.1 and 172.16.14.20 -s0

    If the whole communication is on port 49, then you can use below command as well.

    console> tcpdump filedump 'port 49 -s0

Reply Children
No Data