Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 2502 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dropped due to TLS engine error: FLOW_TIMEOUT[5]

Daniel Wilder

I appreciate that other people have raised this issue before, but I am having problems with a specific IOT device trying to send a data packet to the cloud.

This particular device (which reports the salt quantity in a water softener) causes the following error:

2022-03-07 13:05:08SSL/TLS inspectionmessageid="19006" log_type="SSL" log_component="SSL" log_subtype="Error" severity="Information" user="" src_ip="192.168.1.193" dst_ip="18.193.34.83" user_group="" src_country="R1" dst_country="DEU" src_port="52708" dst_port="443" app_name="" app_id="0" category="Information Technology" category_id="29" con_id="1688866560" rule_id="1" profile_id="1" rule_name="Exclusions by website or category" profile_name="Maximum compatibility" bitmask="Valid" key_type="KEY_TYPE__RSA" key_param="RSA 2048 bits" fingerprint="a9:a0:f0:b5:bc:21:6f:26:a8:01:49:5d:33:c5:0e:dc:62:2f:3d:53" resumed="0" cert_chain_served="TRUE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" sni=".....aylanetworks.com" tls_version="TLS1.2" reason="Dropped due to TLS engine error: FLOW_TIMEOUT[5]" exception="" message=""

I have tried everything to try and exclude this device from all forms scanning (but clearly am doing something wrong). How can I ensure that this device stays clear of any form of firewall processing?

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Daniel,

    Thank you for contacting the Sophos Community.

    What is the configuration of your Rule ID 1?

    Also if you click on SSL/TLS connection from the Control Center, below User & device insights, you should find a "Fix Errors" link, click there and see if the IP of the device or destination address is showing there. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi. 

    Thanks for your reply.

    Rule ID1 is the "Auto added firewall policy for MTA" that was added as default when I initialised the firewall - and I am not sure why it is being listed as the rule ID causing the error (unless I am reading it wrong - rule ID is listed under ID on the Rules and Policy tab?).

    I cant find either the local IP address of the device or the domain that it is trying to send the packet to in the "Fix Errors" list. This may be because I have already manually added the domain to the local TLS exclusion list.

    I also have an outbound policy just for this device with everything off - LAN / device IP address going to WAN / Any destination / Any service.

    I have recently come over to Sophos from 9 years as a Watchguard customer. I really like the product, but this is doing my head in!!

  • 0 in reply to Daniel Wilder

    Change the IP address of the devices to the network, then add there client and it IP to the clinetless users list then select that user in there match know users.

    You also might need to add web policy allow so the DPI engine passes it.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian

    I don't use the client function. All devices connecting via the XGS has internet access without the need to authenticate.

  • 0 in reply to Daniel Wilder

    Clientless devices do not authenticate, it is a way of managing device access with specific rules. You assign the device a fixed IP address. The process then allows you to set a firewall rule for a specific device making debug easier.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Daniel Wilder

    Clientless devices do not authenticate, it is a way of managing device access with specific rules. You assign the device a fixed IP address. The process then allows you to set a firewall rule for a specific device making debug easier.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?