Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1242 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS 18.5 MR3 trying to send WAN Data over dedicated HA-Link mv-pcimux0 - Invalid Traffic

LHerzog

I have noticed this on a XGS136 18.5 MR3, the machine is in HA and when viewing firewall log it is full of invalid traffic logs.

When doing tcpdump I can see in GUI that it resolves the out interface as Port10 which is my dedicated HA interface.

The Interface is in a dedicated Zone "HA", not WAN.

When doing tcpdump I can see the out interface listed as mv-pcimux0

What is that mv-pcimux0? And why is XGS using that as out interface??

Port2 is the single WAN Gateway the machine has.

XGS136_XN01_SFOS 18.5.3 MR-3-Build408# tcpdump -i any host 10.1.254.22 and host
52.17.61.242 or host 18.158.22.135 -nve
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:31:38.628537 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63654, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [S], cksum 0x3163 (incorrect -> 0xee49), seq 3596046757, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:31:38.628542 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63654, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [S], cksum 0x3163 (incorrect -> 0xee49), seq 3596046757, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:31:38.662125 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 242, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [S.], cksum 0xb8e0 (correct), seq 3975696747, ack 3596046758, win 26883, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0
14:31:38.662168 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63655, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x61d2), ack 1, win 229, length 0
14:31:38.662171 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63655, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x61d2), ack 1, win 229, length 0
14:31:38.662624 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 285: (tos 0x0, ttl 64, id 63656, offset 0, flags [DF], proto TCP (6), length 269)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x323c (incorrect -> 0x8802), seq 1:230, ack 1, win 229, length 229
14:31:38.662628 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 285: (tos 0x0, ttl 64, id 63656, offset 0, flags [DF], proto TCP (6), length 269)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x323c (incorrect -> 0x8802), seq 1:230, ack 1, win 229, length 229
14:31:38.681184 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 242, id 15660, offset 0, flags [DF], proto TCP (6), length 40)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [.], cksum 0x6164 (correct), ack 230, win 110, length 0
14:31:38.682162 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 242, id 15661, offset 0, flags [DF], proto TCP (6), length 1500)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [.], cksum 0x61aa (correct), seq 1:1461, ack 230, win 110, length 1460
14:31:38.682182 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63657, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x5b23), ack 1461, win 251, length 0
14:31:38.682184 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63657, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x5b23), ack 1461, win 251, length 0
14:31:38.682187 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 242, id 15662, offset 0, flags [DF], proto TCP (6), length 1500)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [.], cksum 0xf8bf (correct), seq 1461:2921, ack 230, win 110, length 1460
14:31:38.682199 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63658, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x5558), ack 2921, win 274, length 0
14:31:38.682201 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63658, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x5558), ack 2921, win 274, length 0
14:31:38.682208 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 242, id 15663, offset 0, flags [DF], proto TCP (6), length 1500)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [.], cksum 0xeee4 (correct), seq 2921:4381, ack 230, win 110, length 1460
14:31:38.682219 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63659, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x4f8d), ack 4381, win 297, length 0
14:31:38.688763 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 222: (tos 0x0, ttl 64, id 63661, offset 0, flags [DF], proto TCP (6), length 206)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x31fd (incorrect -> 0xfa01), seq 230:396, ack 5429, win 320, length 166
14:31:38.688767 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 222: (tos 0x0, ttl 64, id 63661, offset 0, flags [DF], proto TCP (6), length 206)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x31fd (incorrect -> 0xfa01), seq 230:396, ack 5429, win 320, length 166
14:31:38.695820 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 402: (tos 0x0, ttl 242, id 15665, offset 0, flags [DF], proto TCP (6), length 386)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [P.], cksum 0xab3a (correct), seq 5429:5775, ack 396, win 114, length 346
14:31:38.715856 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 493: (tos 0x0, ttl 64, id 63662, offset 0, flags [DF], proto TCP (6), length 477)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x330c (incorrect -> 0x18e8), seq 396:833, ack 5775, win 343, length 437
14:31:38.715863 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 493: (tos 0x0, ttl 64, id 63662, offset 0, flags [DF], proto TCP (6), length 477)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x330c (incorrect -> 0x18e8), seq 396:833, ack 5775, win 343, length 437
14:31:38.765165 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 125: (tos 0x0, ttl 242, id 15667, offset 0, flags [DF], proto TCP (6), length 109)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [P.], cksum 0x6578 (correct), seq 6132:6201, ack 833, win 118, length 69
14:31:38.765182 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63663, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3163 (incorrect -> 0x6485), ack 5775, win 343, options [nop,nop,sack 1 {6132:6201}], length 0
14:31:38.765183 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63663, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3163 (incorrect -> 0x6485), ack 5775, win 343, options [nop,nop,sack 1 {6132:6201}], length 0
14:31:38.769137 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 125: (tos 0x0, ttl 242, id 15668, offset 0, flags [DF], proto TCP (6), length 109)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [FP.], cksum 0x600d (correct), seq 6201:6270, ack 833, win 118, length 69
14:31:38.769154 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63664, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3163 (incorrect -> 0x643f), ack 5775, win 343, options [nop,nop,sack 1 {6132:6271}], length 0
14:31:38.769156 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63664, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3163 (incorrect -> 0x643f), ack 5775, win 343, options [nop,nop,sack 1 {6132:6271}], length 0
14:31:38.799372 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 413: (tos 0x0, ttl 242, id 15669, offset 0, flags [DF], proto TCP (6), length 397)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [P.], cksum 0x4560 (correct), seq 5775:6132, ack 833, win 118, length 357
14:31:38.799391 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63665, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x458c), ack 6271, win 365, length 0
14:31:38.799393 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63665, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x458c), ack 6271, win 365, length 0
14:31:38.800877 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63666, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [R.], cksum 0x3157 (incorrect -> 0x4588), seq 833, ack 6271, win 365, length 0
14:31:38.800883 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63666, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [R.], cksum 0x3157 (incorrect -> 0x4588), seq 833, ack 6271, win 365, length 0

Time

In interface

Out interface

Ethernet type

Source IP

Destination IP

Packet type

Ports [src,dst]

NAT ID

Rule ID

Status

Reason
25.05.2022 14:16

Port10

Port2

 IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

 Forwarded
25.05.2022 14:16 IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

 Violation

INVALID_TRAFFIC
25.05.2022 14:16

Port10

 IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

 Incoming
25.05.2022 14:16

Port10

Port2

 IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

 Forwarded
25.05.2022 14:16 IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

 Violation

INVALID_TRAFFIC
25.05.2022 14:16

Port10

 IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

 Incoming
25.05.2022 14:16 IPv4 18.158.22.135 10.1.254.22 TCP 443,28772

0

0

 Violation

INVALID_TRAFFIC
25.05.2022 14:16

Port2

 IPv4 18.158.22.135 10.1.254.22 TCP 443,28772

0

0

 Incoming



This thread was automatically locked due to age.
Parents Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?