Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 584 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TCP responses from a website being dropped by firewall

Tom Burger

Hi, 

I'm having some trouble with a medical device uploading its results to a web server where it seems the 'return' traffic that should match the HTTPS session to the website is being dropped by the firewall. Basically the device gets plugged in, then uploads its logs to a website, then it should recieve a response saying that the logs were received and can be cleared from the device. The upload step appears to be working fine, but the responses from the website don't get received. 

I can see in the firewall logs traffic is allowed out to the website, but then what appears to be return traffic from the website (coming back on the same port it went out on) is being dropped ~90 seconds later:

I've tried everything I can think of to try and get this working - I've added a firewall rule for all outgoing traffic to this server to bypass any web filtering, IPS, etc, and checked the tcp-est-idle-timeout is set to the default 10800 seconds, so it shouldn't be timing out after 90 seconds. The device support guys say they've never seen this behaviour before, and have this system running fine in other locations. 

The client's firewall is an XG135 and this issue has persisted across multiple firmware versions - I think we started on 18.5.3, upgraded to 18.5.4 and are now on 19.0.0 (we may have been on 18.5.2 initially and then gone to 18.5.3 as well).

One thing I have done that seemed to make a difference and maybe explain what is going on here was disabling firewall acceleration (system firewall-acceleration disable). With firewall acceleration disabled I can see it looks like it's starting a second session to the web server, and the dropped replies that come back are from the previous session:

This behaviour kind of makes sense if that session has been terminated in some way - whether by the software or the firewall. But I don't know how or why the session is being dropped - and surely if it's remaining on the same session when firewall acceleration is on then the packets should not be dropped like this?

Is anyone able to help with shedding some light on what's going on here, and if there's anything I can do on the Sophos to mitigate this, or is this the result of some odd behaviour from the device/application/web server?

Kind Regards, 

Tom Burger



This thread was automatically locked due to age.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML