Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 493 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG230- Strange rules action

Thomasb74

Hi,

I have an XG230, with an IPSec VPN configured. The IPSec tunnel is "green" light.

I have a firewall rule with these settings:

Sources zones: LAN, VPN

Source networks: LAN Subnet, VPN Subnet

Destination zones: LAN,VPN

Destination networks: LAN Subnet, VPN Subnet

Services: ANY

From my understanding, I should be able to run any services accross the IPSec tunnel, but i'm facing a strange issue:

Port 53 UDP ( DNS) is working (I can see it in the logs) from 192.168.21.13 to my remote machine 172.24.10.152

Port 23560 TCP is not working ( also in the logs), as it's rejecting by Rule 0, from 192.168.21.16 to my remote machine 172.24.10.152

What could cause this issue ? This is preventing me from completing monitoring tasks. 

Thanks a lot, this is really causing me a strong headache !

Thomas



This thread was automatically locked due to age.
Parents
  • 0

    Can you post a screenshot of those drops? Because it sound like invalid traffic, which means, the connection on a APP level is not working (which is not related to the firewall). 

  • 0 in reply to LuCar Toni

    Hi,

    Here are the drops:

    What do you mean by "not related to the firewall"? 

    Thanks for your help

  • 0 in reply to Thomasb74

    Yeah, thats invalid traffic. Which means, basically the connection is there, but the layer above the network layer closes the connection. 

    So the server can talk to the client. But the client or the server closes the connection for whatever reason. Most protocols sends multiple "Please kill connection" packets to the peer. The firewall picks up this traffic and drops it as invalid traffic (because its not relevant anymore). 

    So it looks like the connection is there, but the client or the server closes the connection. Could be a app or program issue. 

  • 0 in reply to LuCar Toni

    I'm sorry, but i do not understand. How could I solve this issue ? PRTG server has been restarted, but the situation is still the same. 

    I cannot see the connection listed in "Diagnostics->Connection list", so for me, there's no connection.

Reply Children
  • 0 in reply to Thomasb74

    Check the PRTG Server logs and check the App. This is highly unlikely a issue with the firewall or the network. 

    The connection is established but closed. Therefore you wont see any connection in Connection list. 

    The connection list shows only established connections. But your connection will be built up, then closed after some seconds. 

    There could be plenty of reasons: Certificate, TLS Handshake, invalid credentials etc. But none of them are actually related to the firewall. 

  • 0 in reply to LuCar Toni

    Could it be a bit more complex than this? For example, if you're doing TLS decryption, then firewall does a man-in-the-middle, which most software will ignore as long as the firewall's CA certificate is trusted by the device. But if the server and client are actively checking for a pinned certificate or for a MiTM certificate, they can drop the connection.

    So it could be a firewall issue in the sense of doing TLS decryption on a connection that won't allow an MiTM, requiring an exception?

  • +1 in reply to Wayne Folta

    Hi Wayne, thanks for your answer! Just a quick reply as I finally managed to find the reason why I had this issue, and that's totally my fault. The legacy router was still connected, causing assymetrical routing. Altering the VPN config of my old Cisco 1901 did the job, and I can now fully enjoy my Sophos XG230 :)  Thanks everyone !