This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid TCP State

In addition to our Sophos XG which is the default gateway (.254) we've got a router provided by one of our vendors on the network for their traffic only (.253).

We've created a static route to forward all traffic for their sites and applications back out the LAN interface to their router and there is a firewall rule allowing traffic originating from the LAN zone and destined for their network range in any zone.

They have several webservers and although I can access one of them the other is inaccessible. I can PING and tracert the IP successfully but cannot open the web page.

The firewall log keeps listing "Invalid Traffic" and Invalid TCP State".

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 3 years ago in reply to Clawcity +1

Seems like the App does not want to be opened and closes the connection. Most likely you see this afterwards. Try to check with tcpdump if you see any reason for the drop. Use Wireshark on a client,…

Parents

0 Vishal_R over 3 years ago

Hi Clawcity: Thank you for reaching out to the Sophos community team. Hope this is not the case of asymmetric routing where either request or reply traffic does not route via firewall which may create an invalid TCP state for such TCP connection when either of the traffic is traversing via firewall. If that is the case then probably adding an advance bypass firewall rule may avoid firewall rule and TCP state maintenance for mentioned source and destination network.

console> set advanced-firewall bypass-stateful-firewall-config add source_network x.x.x.x source_netmask 255.255.255.0 dest_network y.y.y.y dest_netmask 255.255.255.0

Note: To revert the changes del in place of add will be required. Also would suggest performing the changes safer side during odd hours or during proper downtime time. Please also take the latest backup with the backup password and SSMK before applying any change.

Identify an asymmetric routing design condition

https://support.sophos.com/support/s/article/KB-000038267?language=en_US

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Clawcity over 3 years ago in reply to Vishal_R

Thanks for your reply Vishal. I've remoted in to a computer onsite and am trying to access the CLI via SSH. I assume it uses the same username/password that I use to access the web console, but I'm getting access denied. I have checked that SSH is enabled on the LAN zone.
Cancel
Vote Up 0 Vote Down

Cancel
0 Excommunicado over 3 years ago in reply to Clawcity

Hi Clawcity,

Is there any Access Control policy configured under Administration > Device Access for SSH access? I'd suggest you filter logs with your source public IP address from Logviwer to see what happens with the SSH traffic when it hits the firewall.
Cancel
Vote Up 0 Vote Down

Cancel
0 Clawcity over 3 years ago in reply to Excommunicado

I'm coming in through the LAN interface from a local computer and SSH access is enabled. Log viewer doesn't show anything.
Cancel
Vote Up 0 Vote Down

Cancel
0 Clawcity over 3 years ago in reply to Clawcity

Any ideas guys?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Clawcity

Seems like the App does not want to be opened and closes the connection. Most likely you see this afterwards. Try to check with tcpdump if you see any reason for the drop.

Use Wireshark on a client, then open the website and check the HTTP Pakets.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel

Reply

0 LuCar Toni over 3 years ago in reply to Clawcity

Seems like the App does not want to be opened and closes the connection. Most likely you see this afterwards. Try to check with tcpdump if you see any reason for the drop.

Use Wireshark on a client, then open the website and check the HTTP Pakets.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel

Children

No Data

Invalid TCP State

Top Replies

Submitted a Tech Support Case lately from the Support Portal?