This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to log Drops from advanced-firewall checks

AndreasHämmerle over 3 years ago

Hello,

We have a clients-server based application, where the server is in a different vlan as the clients.

The communication between both vlans is routed via SophosXG VLAN Interfaces. (XG430 / 18.5MR1)

The GUI firewall rules are configured to allow everything for both vlan-networks in each direction.

However, this client-server based application doesn't work with this setup.

Only way to get the application working as expected is to set advanced-firewall bypass via CLI

I assume that the application is not working 100% RFC conform and for example the XG tcp-seq-checking drops the packege.

My problem is, I cant see any dropped packeg in any log on XG firewall.

I need to know exactly why the firewall is dropping that traffic in order to contact the application vendors if something is not RFC compliant at application side.

Can you please tell me how to log such kind of drops from the advanced-firewall checks.

Thank you for help!

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 3 years ago in reply to AndreasHämmerle +1 suggested

I highly recommend to not do a stateful bypass. Instead remove those commands, use drppkt on the firewall and check, which module is dropping them. Then check, if there are no drops, via tcpdump, what…

Parents

0 rfcat_vk over 3 years ago

Hi,

using logviewer refine your search to the server's IP address to see where the traffic might be going?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 AndreasHämmerle over 3 years ago in reply to rfcat_vk

I already filtered the GUI LogViewer for source/destination and cant see any problem relaited logs entries.

No invalid traffic or something like that.

I tried to enable all Log-Options in SystemServices -> LogSettings -> Local Reporting but still no log entry while reproducting the problem.
Cancel
Vote Up 0 Vote Down

Cancel

0 AndreasHämmerle over 3 years ago in reply to LuCar Toni

At the Server (172.17.1.11) there is a IIS running on Port 8080

Also at the Server there is the application Ivanti DSM Console installed which connects to the IIS via Port 8080.

On the client (172.17.2.11), the application DSM Console is started via UNC link from Server via SMB 445.

The application first starts normaly and while connecting to the IIS on Port 8080 the connection could not be established.

tcpdump (while bypassrule is deleted)

XG430_WP02_SFOS 18.5.1 MR-1-Build326# tcpdump -ni any port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
16:54:38.905706 Port9, IN: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [SEW], seq 1558794702, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.905706 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [SEW], seq 1558794702, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.905706 LAG_DSW.102, IN: IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [SEW], seq 1558794702, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906018 LAG_DSW.101, OUT: IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [SEW], seq 1558794702, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906020 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [SEW], seq 1558794702, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906020 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [SEW], seq 1558794702, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906255 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [S.E], seq 3154676273, ack 1558794703, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906255 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [S.E], seq 3154676273, ack 1558794703, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906255 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [S.E], seq 3154676273, ack 1558794703, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906418 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [S.E], seq 3154676273, ack 1558794703, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906419 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [S.E], seq 3154676273, ack 1558794703, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906420 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [S.E], seq 3154676273, ack 1558794703, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:38.906629 Port9, IN: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
16:54:38.906629 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
16:54:38.906629 LAG_DSW.102, IN: IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
16:54:38.906629 Port9, IN: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
16:54:38.906629 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
16:54:38.906629 LAG_DSW.102, IN: IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
16:54:38.906630 Port9, IN: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [P.], seq 243:1177, ack 1, win 8212, length 934: HTTP
16:54:38.906630 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [P.], seq 243:1177, ack 1, win 8212, length 934: HTTP
16:54:38.906878 LAG_DSW.101, OUT: IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
16:54:38.906880 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
16:54:38.906881 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
16:54:38.906883 LAG_DSW.101, OUT: IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
16:54:38.906883 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
16:54:38.906884 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
16:54:38.915907 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [.], seq 1:1461, ack 243, win 8212, length 1460: HTTP: HTTP/1.1 401 Unauthorized
16:54:38.915907 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [.], seq 1:1461, ack 243, win 8212, length 1460: HTTP: HTTP/1.1 401 Unauthorized
16:54:38.915907 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [.], seq 1:1461, ack 243, win 8212, length 1460: HTTP: HTTP/1.1 401 Unauthorized
16:54:38.915907 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [P.], seq 1461:1511, ack 243, win 8212, length 50: HTTP
16:54:38.915907 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [P.], seq 1461:1511, ack 243, win 8212, length 50: HTTP
16:54:38.915907 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [P.], seq 1461:1511, ack 243, win 8212, length 50: HTTP
16:54:38.916071 LAG_DSW.101, OUT: IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [R.], seq 243, ack 1461, win 0, length 0
16:54:38.916074 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [R.], seq 243, ack 1461, win 0, length 0
16:54:38.916074 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [R.], seq 243, ack 1461, win 0, length 0
16:54:38.916079 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [R.], seq 1, ack 243, win 0, length 0
16:54:38.916079 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [R.], seq 1, ack 243, win 0, length 0
16:54:38.916080 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [R.], seq 1, ack 243, win 0, length 0

tcpdump (while bypassrule is set)

XG430_WP02_SFOS 18.5.1 MR-1-Build326# tcpdump -ni any port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
17:04:18.674050 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [SEW], seq 2490550846, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674050 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [SEW], seq 2490550846, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674050 LAG_DSW.102, IN: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [SEW], seq 2490550846, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674057 LAG_DSW.101, OUT: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [SEW], seq 2490550846, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674059 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [SEW], seq 2490550846, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674060 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [SEW], seq 2490550846, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674218 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [S.E], seq 3316352020, ack 2490550847, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674218 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [S.E], seq 3316352020, ack 2490550847, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674218 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [S.E], seq 3316352020, ack 2490550847, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674224 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [S.E], seq 3316352020, ack 2490550847, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674225 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [S.E], seq 3316352020, ack 2490550847, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674225 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [S.E], seq 3316352020, ack 2490550847, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:04:18.674720 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
17:04:18.674720 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
17:04:18.674720 LAG_DSW.102, IN: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
17:04:18.674725 LAG_DSW.101, OUT: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
17:04:18.674725 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
17:04:18.674726 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1, win 8212, length 0
17:04:18.674850 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.674850 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.674850 LAG_DSW.102, IN: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.674857 LAG_DSW.101, OUT: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.674858 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.674858 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 1:243, ack 1, win 8212, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.674851 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 243:1177, ack 1, win 8212, length 934: HTTP
17:04:18.674851 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 243:1177, ack 1, win 8212, length 934: HTTP
17:04:18.674996 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 1177, win 8212, length 0
17:04:18.674996 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 1177, win 8212, length 0
17:04:18.674996 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 1177, win 8212, length 0
17:04:18.675002 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 1177, win 8212, length 0
17:04:18.675003 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 1177, win 8212, length 0
17:04:18.675003 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 1177, win 8212, length 0
17:04:18.677552 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], seq 1:1461, ack 1177, win 8212, length 1460: HTTP: HTTP/1.1 401 Unauthorized
17:04:18.677552 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], seq 1:1461, ack 1177, win 8212, length 1460: HTTP: HTTP/1.1 401 Unauthorized
17:04:18.677552 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], seq 1:1461, ack 1177, win 8212, length 1460: HTTP: HTTP/1.1 401 Unauthorized
17:04:18.677558 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], seq 1:1461, ack 1177, win 8212, length 1460: HTTP: HTTP/1.1 401 Unauthorized
17:04:18.677559 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], seq 1:1461, ack 1177, win 8212, length 1460: HTTP: HTTP/1.1 401 Unauthorized
17:04:18.677560 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], seq 1:1461, ack 1177, win 8212, length 1460: HTTP: HTTP/1.1 401 Unauthorized
17:04:18.677552 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 1461:1511, ack 1177, win 8212, length 50: HTTP
17:04:18.677552 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 1461:1511, ack 1177, win 8212, length 50: HTTP
17:04:18.677681 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1511, win 8212, length 0
17:04:18.677681 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1511, win 8212, length 0
17:04:18.677681 LAG_DSW.102, IN: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1511, win 8212, length 0
17:04:18.677686 LAG_DSW.101, OUT: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1511, win 8212, length 0
17:04:18.677687 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1511, win 8212, length 0
17:04:18.677688 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], ack 1511, win 8212, length 0
17:04:18.791519 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], seq 1177:2637, ack 1511, win 8212, length 1460: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.791519 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], seq 1177:2637, ack 1511, win 8212, length 1460: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.791519 LAG_DSW.102, IN: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], seq 1177:2637, ack 1511, win 8212, length 1460: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.791529 LAG_DSW.101, OUT: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], seq 1177:2637, ack 1511, win 8212, length 1460: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.791531 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], seq 1177:2637, ack 1511, win 8212, length 1460: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.791532 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], seq 1177:2637, ack 1511, win 8212, length 1460: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.791520 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], seq 2637:4097, ack 1511, win 8212, length 1460: HTTP
17:04:18.791520 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [.], seq 2637:4097, ack 1511, win 8212, length 1460: HTTP
17:04:18.791649 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 5338:6272, ack 1511, win 8212, length 934: HTTP
17:04:18.791649 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 5338:6272, ack 1511, win 8212, length 934: HTTP
17:04:18.791649 LAG_DSW.102, IN: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 5338:6272, ack 1511, win 8212, length 934: HTTP
17:04:18.791657 LAG_DSW.101, OUT: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 5338:6272, ack 1511, win 8212, length 934: HTTP
17:04:18.791658 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 5338:6272, ack 1511, win 8212, length 934: HTTP
17:04:18.791659 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 5338:6272, ack 1511, win 8212, length 934: HTTP
17:04:18.791778 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 5338, win 8212, length 0
17:04:18.791778 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 5338, win 8212, length 0
17:04:18.791778 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 5338, win 8212, length 0
17:04:18.791784 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 5338, win 8212, length 0
17:04:18.791785 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 5338, win 8212, length 0
17:04:18.791786 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 5338, win 8212, length 0
17:04:18.791779 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 6272, win 8208, length 0
17:04:18.791779 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 6272, win 8208, length 0
17:04:18.808504 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 1511:2556, ack 6272, win 8208, length 1045: HTTP: HTTP/1.1 200 OK
17:04:18.808504 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 1511:2556, ack 6272, win 8208, length 1045: HTTP: HTTP/1.1 200 OK
17:04:18.808504 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 1511:2556, ack 6272, win 8208, length 1045: HTTP: HTTP/1.1 200 OK
17:04:18.808511 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 1511:2556, ack 6272, win 8208, length 1045: HTTP: HTTP/1.1 200 OK
17:04:18.808512 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 1511:2556, ack 6272, win 8208, length 1045: HTTP: HTTP/1.1 200 OK
17:04:18.808513 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 1511:2556, ack 6272, win 8208, length 1045: HTTP: HTTP/1.1 200 OK
17:04:18.810584 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6272:6514, ack 2556, win 8208, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.810584 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6272:6514, ack 2556, win 8208, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.810584 LAG_DSW.102, IN: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6272:6514, ack 2556, win 8208, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.810591 LAG_DSW.101, OUT: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6272:6514, ack 2556, win 8208, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.810592 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6272:6514, ack 2556, win 8208, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.810592 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6272:6514, ack 2556, win 8208, length 242: HTTP: POST /blsAdministration/AdministrationService.asmx HTTP/1.1
17:04:18.810712 Port9, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6514:7448, ack 2556, win 8208, length 934: HTTP
17:04:18.810712 LAG_DSW, IN: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6514:7448, ack 2556, win 8208, length 934: HTTP
17:04:18.810712 LAG_DSW.102, IN: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6514:7448, ack 2556, win 8208, length 934: HTTP
17:04:18.810718 LAG_DSW.101, OUT: IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6514:7448, ack 2556, win 8208, length 934: HTTP
17:04:18.810718 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6514:7448, ack 2556, win 8208, length 934: HTTP
17:04:18.810719 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52580 > 172.17.1.11.8080: Flags [P.], seq 6514:7448, ack 2556, win 8208, length 934: HTTP
17:04:18.810841 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 7448, win 8212, length 0
17:04:18.810841 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 7448, win 8212, length 0
17:04:18.810841 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 7448, win 8212, length 0
17:04:18.810846 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 7448, win 8212, length 0
17:04:18.810847 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 7448, win 8212, length 0
17:04:18.810847 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [.], ack 7448, win 8212, length 0
17:04:18.833897 Port9, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 2556:3323, ack 7448, win 8212, length 767: HTTP: HTTP/1.1 200 OK
17:04:18.833897 LAG_DSW, IN: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 2556:3323, ack 7448, win 8212, length 767: HTTP: HTTP/1.1 200 OK
17:04:18.833897 LAG_DSW.101, IN: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 2556:3323, ack 7448, win 8212, length 767: HTTP: HTTP/1.1 200 OK
17:04:18.833904 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 2556:3323, ack 7448, win 8212, length 767: HTTP: HTTP/1.1 200 OK
17:04:18.833905 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 2556:3323, ack 7448, win 8212, length 767: HTTP: HTTP/1.1 200 OK
17:04:18.833907 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52580: Flags [P.], seq 2556:3323, ack 7448, win 8212, length 767: HTTP: HTTP/1.1 200 OK
... a lot of more lines, but I think it is irrelevant here

The dropped-packet-capture doesn't show anything at the same time.

I doublechecked the network basics many time, but I can not see any failure here.

Do you have any idea how to log the asymetrical routing?

0 LuCar Toni over 3 years ago in reply to AndreasHämmerle

Do you have a proxy enabled on this connections?

Because it looks like the firewall is dropping / resetting this connections.

16:54:38.916071 LAG_DSW.101, OUT: IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [R.], seq 243, ack 1461, win 0, length 0
16:54:38.916074 LAG_DSW, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [R.], seq 243, ack 1461, win 0, length 0
16:54:38.916074 Port10, OUT: ethertype IPv4, IP 172.17.2.11.52472 > 172.17.1.11.8080: Flags [R.], seq 243, ack 1461, win 0, length 0
16:54:38.916079 LAG_DSW.102, OUT: IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [R.], seq 1, ack 243, win 0, length 0
16:54:38.916079 LAG_DSW, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [R.], seq 1, ack 243, win 0, length 0
16:54:38.916080 Port10, OUT: ethertype IPv4, IP 172.17.1.11.8080 > 172.17.2.11.52472: Flags [R.], seq 1,

Those RESET packets are send by the firewall, which means the firewall is resetting the traffic, which indicates a proxy enabled on this traffic.
Cancel
Vote Up 0 Vote Down

Cancel
0 AndreasHämmerle over 3 years ago in reply to LuCar Toni

I found a second way how to get the application working:

1. I disabled the bypass rules

2. I created firewall rule #6

3. I entered folowing command in console

set ips ac_atp exception fwrules 6

-> After that the application is working as expected.

-> I dont think the problem is caused from asymmetrical routing issues any more.

I have mad a capture on server, client and XG while bypass and IPS rules are disabled to recreate the failure while starting the application on the Client.

Sophos XG packet capture filtered on Port 8080

Server

Client

My question now is:

- is there any sophos log possibility to trace such drops from Application Classification / ATP or is the firewall dropping the traffic silent at this place?

- what is your opinion on that? Is this a XG specific problem (for example ATP false positive etc) or is this more likely an applicaiton problem?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to AndreasHämmerle

Revert the change and check the conntrack of this connection (Conntrack -E | grep 8080) on advanced Shell.

Then check if there is a redirect happening. Seems like the proxy (Awarrenhttp) is intercepting this application. Likely because Web is enabled?
Cancel
Vote Up 0 Vote Down

Cancel

0 AndreasHämmerle over 3 years ago in reply to LuCar Toni

I reproduced the failure while bypass and ips settings are removed from console.

XG430_WP02_SFOS 18.5.1 MR-1-Build326# conntrack -E | grep 8080
...
    [NEW] proto=tcp      proto-no=6 timeout=120 state=SYN_SENT orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=60022 orig-dport=8080 [UNREPLIED] reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=60022 id=4148903936 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784848 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0xa0000200020 flags1=0x10000800000 flagvalues=5,21,41,43,87,104 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363431 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=0 sessionid=28523 sessionidrev=23757 session_update_rev=2 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
 [UPDATE] proto=tcp      proto-no=6 timeout=60 state=SYN_RECV orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=60022 orig-dport=8080 reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=60022 id=4148903936 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784848 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0xa0000200020 flags1=0x10000800000 flagvalues=5,21,41,43,87,104 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363431 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=13661 vlan_id=0 inmark=0x0 brinindex=0 sessionid=28523 sessionidrev=23757 session_update_rev=2 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
 [UPDATE] proto=tcp      proto-no=6 timeout=10800 state=ESTABLISHED orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=60022 orig-dport=8080 reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=60022 [ASSURED] id=4148903936 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784848 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0xa0000200020 flags1=0x10000800000 flagvalues=5,21,41,43,87,104 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363431 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=13661 vlan_id=0 inmark=0x0 brinindex=0 sessionid=28523 sessionidrev=23757 session_update_rev=2 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
 [UPDATE] proto=tcp      proto-no=6 timeout=10 state=CLOSE orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=60022 orig-dport=8080 reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=60022 [ASSURED] id=4148903936 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784848 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=6 appcatid=3 hbappid=10162 hbappcatid=0 dpioffload=0x5 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0xa0000200020 flags1=0x10000810000 flagvalues=5,21,41,43,80,87,104 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363431 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=13661 vlan_id=0 inmark=0x0 brinindex=0 sessionid=28523 sessionidrev=23757 session_update_rev=6 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
[DESTROY] proto=tcp      proto-no=6 orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=59969 orig-dport=8080 packets=178 bytes=110323 reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=59969 packets=385 bytes=375427 [ASSURED] id=3527022848 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784440 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=10162 appcatid=0 hbappid=10162 hbappcatid=0 dpioffload=0x7 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0x20000a0000200020 flags1=0x10004810000 flagvalues=5,21,41,43,61,80,87,90,104 catid=1022 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363404 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=2 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=13661 vlan_id=0 inmark=0x0 brinindex=0 sessionid=7409 sessionidrev=32269 session_update_rev=12 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
...

(I deleted unnecessary lines)

I can not see any proxy redirections in that conntrack logs.

On the Firewall Rule there is no Web enabled.

0 AndreasHämmerle over 3 years ago in reply to AndreasHämmerle

With all the tests we have done so far, for me it looks like that this ATP/AC module is dropping the traffic because once i create "set ips ac_atp exception fwrules 6" everything works fine.

Can you confirm this? If not can you please explain why you think we should search the problem on an other place like asymmetrical routing issues because I dont understand this at the moment.

Do you know if it is possible to log this drops from ATP/AC module or if these kind of drops are silent?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to AndreasHämmerle

Do you have micro app enabled?

console> system application_classification show
On
console> system application_classification microapp-discovery
off on show
console> system application_classification microapp-discovery show
off
Cancel
Vote Up 0 Vote Down

Cancel
0 AndreasHämmerle over 3 years ago in reply to LuCar Toni

No this is not enabled:

console> system application_classification show
On

console> system application_classification microapp-discovery show
off
Cancel
Vote Up 0 Vote Down

Cancel
0 AndreasHämmerle over 3 years ago in reply to AndreasHämmerle

Sorry to bother you again.

Could you please answer me the question, if there is any possibility to log this drops from ATP/AC module or if these kind of drops are silent?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to AndreasHämmerle

Its the atp.log or drop packet capture. If there are no drops, this is not dropped.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 3 years ago in reply to AndreasHämmerle

Its the atp.log or drop packet capture. If there are no drops, this is not dropped.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 AndreasHämmerle over 3 years ago in reply to LuCar Toni

where can I find atp.log?

There is no atp.log in /log Folder

>XG430_WP02_SFOS 18.5.1 MR-1-Build326# cd /log/ ls dnsd.log garner.log migration.log readobject.log red-R20002F2VQCJR37.log smtpd_panic.log up2date_av.log dnsgrabber.log garner.log.0 migrationhash.log red red-R20002MHTCCCR28.log snireport.log validation.log centralmanagement.log.0 dnsgrabber.log.0 ha_pair.log mrouting.log red-A35019622135F65.log red.log snmpd.log validationError.log dropbear.log ha_tunnel.log msync.log red-A350199D5868BE5.log redis sophos-central.log validationError.log.0 eacd.log hbtrust.log msync.log.0 red-A3501B9B893500C.log reportdb.log sshd.log vhost.log chromebook-sso-backend.log entity.log hbtrust.log.0 nSXLd red-A3501D2BEF22F74.log reportmigration.log sslvpn.log vpncertificate.log error_log.log heartbeatd.log nSXLd.log red-A3501DA8C271A54.log reverseproxy.log ssod.log warren.log exim_mail_client.log hostapd.log nasm.log red-A3501E4B83A55E1.log reverseproxy.log.0 strongswan-monitor.log wc_remote.log firewall_rule.log hotspotd.log nat_rule.log red-A3501E58921CF3D.log ripd.log strongswan.log webproxy.log fqdnd.log httplogd.log networkd.log red-A3501E77570D8E8.log sac-feedback.log strongswan.log.0 wifiauth.log fqdnd.log.0 hwmon.log networkd.log.0 red-A3501F696540315.log sandbox_reportd.log sync.log xfrmi.log fqdndebug.log ips.log npu-startup.log.prev red-A350232E7D3581D.log sandboxd.log sysinit.log xgs-healthmond.log ftpproxy.log ipsec.log npu_syslog.log red-A36020093C07EDC.log sessiontbl.log syslog-ng.log xgs-host.log fwcm-eventd.log ipsec_conn ntpclient.log red-R200018963CFXC8.log sig_upgrade.log syslog.log xgs-npu-fw.log fwcm-eventd.log.0 ipsec_monitor.log openvpn-status.log red-R20001HKPXRMJE7.log sigdb.log tlsreport.log zebra.log fwcm-heartbeatd.log iview.log ospfd.log red-R20001T9YFQK700.log sigmigration.log tmclient.log fwcm-heartbeatd.log.0 iview.log.0 pimd.log red-R20001YCCYYJR6D.log skein.log tomcat.log fwcm-updaterd.log l2tpd.log pktcapd.log red-R20001YJGKMDW95.log smbnetfs.log tomcat.log.0 fwcm-updaterd.log.0 lcd.log postgres.log red-R20001YJRF8T4CF.log smtpd_error.log u2d.log fwlog.log licensing.log pptpvpn.log red-R200024FYJ9R403.log smtpd_main.log u2d.log.0 fwmgmt.log mdev.log radvd.log red-R200029YG4GHCC8.log smtpd_main.log.0 uma.log

0 LuCar Toni over 3 years ago in reply to AndreasHämmerle

Its included in the ips.log : docs.sophos.com/.../LogFileDetails.html
Cancel
Vote Up 0 Vote Down

Cancel

0 AndreasHämmerle over 3 years ago in reply to LuCar Toni

dropped packet capture does not show one line while reproducing the error.

ips.log is filling up with some entries constantly, but I can not see any relationship to my problem because the entries are written every 20-30 sec regardless if I reproduce the error or not.

1637221271.445212946 [12491/0xeb0000007485] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221271.648529883 [12491/0xc11400003517] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221281.576054732 [12492/0x4e4000008260] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221296.315486715 [12491/0x73e700005f7a] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221361.592918676 [12491/0xe1b6000013a8] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221372.286165496 [12491/0xfbf00000a67f] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221376.254997289 [12489/0x1a71000bf215] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221380.264400346 [12488/0x3fd80003c4ec] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221380.276489084 [12488/0xfe11000016f6] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221456.394740671 [12491/0xd2da000009c7] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221457.111740905 [12489/0x135b000042cf] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221461.033688667 [12488/0x4850000de0ea] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221464.094616417 [12491/0x7019000ddd82] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221475.293703382 [12491/0xa403000041aa] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221477.222272602 [12492/0x489e000dfdb8] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221518.070145981 [12492/0x652300000630] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221561.813531376 [12491/0xcc0006c25b] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221562.585277755 [12492/0x5f8000002c00] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221580.948666411 [12491/0x15a500005097] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221581.040441116 [12492/0xcb2500013e76] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221613.689577477 [12492/0x4f9300001625] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221662.830070946 [12492/0xa0de00008729] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221722.365829812 [12488/0xcff100004238] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221722.368846499 [12491/0x50a600007ba5] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221722.431311168 [12489/0xcfbf0000423f] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221722.432365908 [12489/0x7c1f00007051] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221722.433895988 [12491/0x63a80000a747] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221727.362595316 [12491/0x8d2000e47df] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221828.959235528 [12488/0x109700000984] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221828.991220647 [12492/0x9ef400006262] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221834.266318346 [12492/0xf0b00000bd48] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221834.277881430 [12491/0x31a6000347de] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221834.278348722 [12491/0x15610000102c] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221834.312279944 [12489/0x2166000347d7] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221834.312504010 [12489/0x66e700004df7] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.

You said if it's not logged there it is not dropped.

But why is the application working when the AC/ATP Exception is active and doesnt work when it is deactivated?

This indicates that the firewall is dropping that traffic at some point, isnt it?

0 LuCar Toni over 3 years ago in reply to AndreasHämmerle

From my perspective, its not about dropping. It looks like the application is intercepted by the proxy. Which means, the connection is not dropped, instead intercepted. If its intercepted, likely the application got dropped by the client/server.

A drop would indicate a "retransmission multiple times". But you get from somebody a RST (reset). So somebody wants to kill the connection for what ever reason.

BTW: Why is your client getting a 401 unauthorized?
Cancel
Vote Up 0 Vote Down

Cancel
0 AndreasHämmerle over 3 years ago in reply to LuCar Toni

Ok, to follow your theory, do you have any hints where I could search first if this proxy interception took place on XG?

The firewall rules for internal traffic doesn't have any Webfilter enabled.

Only firewall rules for internet traffic uses DPI with TLS Decryption, so it should not be relevant for my Problem.

This 401 unauthorized is a good question, I have seen this in both Traces:

when the atp_ac rule is disabled -> there is the RST right after the unauthorized

when the atp_ac rule is enabled -> there is also the same unauthorized message (Access is denied due to invalid Credentials) but the application is working as expected. I can see the next packages in Wireshark Trace are HTTP/XML SOAP packages instead of the RST.

If it is helpfull, I could send you both Wireshark captures via PN that you can see the difference.
Cancel
Vote Up 0 Vote Down

Cancel