Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 10382 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid HTTPS traffic over VPN

JustinStafinski

When accessing internal HTTPS websites located at "Site A" from "Site B", the pages appear to never fully load. This occurs with an internal web server as well as HTTPS control interfaces for the Sophos, our switches, etc. Upon further inspection, it looks like this traffic is being flagged as invalid by the Sophos and subsequently dropped.

Curiously enough, we have identical site-to-site VPN setups between each location:

  • Site B <-> Site A (HTTPS traffic marked as invalid, dropped)
  • Site C <-> Site A (HTTPS traffic passes unimpeded)
  • Site D <-> Site A (HTTPS traffic passes unimpeded)

We are running XG210s at each of these locations with rules set to allow internal LAN traffic (over VPN) to pass without any Malware Scanning. The issue occurs when web filter is set to "Allow All" and also to "None". The Web Filter logs show the connection as "allowed."

Drop Packet Capture:

console> drop-packet-capture "host 10.101.100.15 or host 10.101.104.1"
2016-05-25 14:20:56 0102021 IP 10.102.102.57.2691 > 10.101.104.1.4444 : proto TC P: 1237605685:1237605686(1) ack 2753377212 win 256 checksum : 12572
0x0000: 4500 0029 04a4 4000 8006 1326 0a66 6639 E..)..@....&.ff9
0x0010: 0a65 6801 0a83 115c 49c4 5d35 a41d 33bc .eh....\I.]5..3.
0x0020: 5010 0100 311c 0000 00 P...1....
Date=2016-05-25 Time=14:20:56 log_id=0102021 log_type=Firewall log_component=Inv alid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A i n_dev=Port5.102 out_dev= inzone_id=0 outzone_id=0 source_mac=18:5e:0f:cb:5d:45 d est_mac=00:1a:8c:50:fa:06 l3_protocol=IP source_ip=10.102.102.57 dest_ip=10.101. 104.1 l4_protocol=TCP source_port=2691 dest_port=4444 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id =0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_ id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_byte s=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2016-05-25 14:21:41 0102021 IP 10.102.102.57.2691 > 10.101.104.1.4444 : proto TCP: 1237605685:1237605686(1) ack 2753377212 win 256 checksum : 12572
0x0000: 4500 0029 04a5 4000 8006 1325 0a66 6639 E..)..@....%.ff9
0x0010: 0a65 6801 0a83 115c 49c4 5d35 a41d 33bc .eh....\I.]5..3.
0x0020: 5010 0100 311c 0000 00 P...1....
Date=2016-05-25 Time=14:21:41 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port5.102 out_dev= inzone_id=0 outzone_id=0 source_mac=18:5e:0f:cb:5d:45 dest_mac=00:1a:8c:50:fa:06 l3_protocol=IP source_ip=10.102.102.57 dest_ip=10.101.104.1 l4_protocol=TCP source_port=2691 dest_port=4444 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7161342651608858624 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2016-05-25 14:22:26 0102021 IP 10.102.102.57.2691 > 10.101.104.1.4444 : proto TCP: 1237605685:1237605686(1) ack 2753377212 win 256 checksum : 12572
0x0000: 4500 0029 04a6 4000 8006 1324 0a66 6639 E..)..@....$.ff9
0x0010: 0a65 6801 0a83 115c 49c4 5d35 a41d 33bc .eh....\I.]5..3.
0x0020: 5010 0100 311c 0000 00 P...1....
Date=2016-05-25 Time=14:22:26 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port5.102 out_dev= inzone_id=0 outzone_id=0 source_mac=18:5e:0f:cb:5d:45 dest_mac=00:1a:8c:50:fa:06 l3_protocol=IP source_ip=10.102.102.57 dest_ip=10.101.104.1 l4_protocol=TCP source_port=2691 dest_port=4444 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7161342651608858624 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2016-05-25 14:23:11 0102021 IP 10.102.102.57.2691 > 10.101.104.1.4444 : proto TCP: 1237605685:1237605686(1) ack 2753377212 win 256 checksum : 12572
0x0000: 4500 0029 04bd 4000 8006 130d 0a66 6639 E..)..@......ff9
0x0010: 0a65 6801 0a83 115c 49c4 5d35 a41d 33bc .eh....\I.]5..3.
0x0020: 5010 0100 311c 0000 00 P...1....
Date=2016-05-25 Time=14:23:11 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port5.102 out_dev= inzone_id=0 outzone_id=0 source_mac=18:5e:0f:cb:5d:45 dest_mac=00:1a:8c:50:fa:06 l3_protocol=IP source_ip=10.102.102.57 dest_ip=10.101.104.1 l4_protocol=TCP source_port=2691 dest_port=4444 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7161342651608858624 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

console> drop-packet-capture "host 10.101.100.15 or host 10.101.104.1"
2016-05-25 14:20:56 0102021 IP 10.102.102.57.2691 > 10.101.104.1.4444 : proto TC P: 1237605685:1237605686(1) ack 2753377212 win 256 checksum : 12572
0x0000: 4500 0029 04a4 4000 8006 1326 0a66 6639 E..)..@....&.ff9
0x0010: 0a65 6801 0a83 115c 49c4 5d35 a41d 33bc .eh....\I.]5..3.
0x0020: 5010 0100 311c 0000 00 P...1....
Date=2016-05-25 Time=14:20:56 log_id=0102021 log_type=Firewall log_component=Inv alid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A i n_dev=Port5.102 out_dev= inzone_id=0 outzone_id=0 source_mac=18:5e:0f:cb:5d:45 d est_mac=00:1a:8c:50:fa:06 l3_protocol=IP source_ip=10.102.102.57 dest_ip=10.101. 104.1 l4_protocol=TCP source_port=2691 dest_port=4444 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id =0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_ id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_byte s=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2016-05-25 14:21:41 0102021 IP 10.102.102.57.2691 > 10.101.104.1.4444 : proto TCP: 1237605685:1237605686(1) ack 2753377212 win 256 checksum : 12572
0x0000: 4500 0029 04a5 4000 8006 1325 0a66 6639 E..)..@....%.ff9
0x0010: 0a65 6801 0a83 115c 49c4 5d35 a41d 33bc .eh....\I.]5..3.
0x0020: 5010 0100 311c 0000 00 P...1....
Date=2016-05-25 Time=14:21:41 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port5.102 out_dev= inzone_id=0 outzone_id=0 source_mac=18:5e:0f:cb:5d:45 dest_mac=00:1a:8c:50:fa:06 l3_protocol=IP source_ip=10.102.102.57 dest_ip=10.101.104.1 l4_protocol=TCP source_port=2691 dest_port=4444 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7161342651608858624 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2016-05-25 14:22:26 0102021 IP 10.102.102.57.2691 > 10.101.104.1.4444 : proto TCP: 1237605685:1237605686(1) ack 2753377212 win 256 checksum : 12572
0x0000: 4500 0029 04a6 4000 8006 1324 0a66 6639 E..)..@....$.ff9
0x0010: 0a65 6801 0a83 115c 49c4 5d35 a41d 33bc .eh....\I.]5..3.
0x0020: 5010 0100 311c 0000 00 P...1....
Date=2016-05-25 Time=14:22:26 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port5.102 out_dev= inzone_id=0 outzone_id=0 source_mac=18:5e:0f:cb:5d:45 dest_mac=00:1a:8c:50:fa:06 l3_protocol=IP source_ip=10.102.102.57 dest_ip=10.101.104.1 l4_protocol=TCP source_port=2691 dest_port=4444 fw_rul2016-05-25 14:23:56 0102021 IP 10.102.102.57.2691 > 10.101.104.1.4444 : proto TCP: 1237605685:1237605686(1) ack 2753377212 win 256 checksum : 12572
0x0000: 4500 0029 04bf 4000 8006 130b 0a66 6639 E..)..@......ff9
0x0010: 0a65 6801 0a83 115c 49c4 5d35 a41d 33bc .eh....\I.]5..3.
0x0020: 5010 0100 311c 0000 00 P...1....
Date=2016-05-25 Time=14:23:56 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port5.102 out_dev= inzone_id=0 outzone_id=0 source_mac=18:5e:0f:cb:5d:45 dest_mac=00:1a:8c:50:fa:06 l3_protocol=IP source_ip=10.102.102.57 dest_ip=10.101.104.1 l4_protocol=TCP source_port=2691 dest_port=4444 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7161342651608858624 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2016-05-25 14:24:41 0102021 IP 10.102.102.57.2691 > 10.101.104.1.4444 : proto TCP: R 1237605686:1237605686(0) checksum : 12824
0x0000: 4500 0028 04c1 4000 8006 130a 0a66 6639 E..(..@......ff9
0x0010: 0a65 6801 0a83 115c 49c4 5d36 a41d 33bc .eh....\I.]6..3.
0x0020: 5014 0000 3218 0000 P...2...
Date=2016-05-25 Time=14:24:41 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port5.102 out_dev= inzone_id=0 outzone_id=0 source_mac=18:5e:0f:cb:5d:45 dest_mac=00:1a:8c:50:fa:06 l3_protocol=IP source_ip=10.102.102.57 dest_ip=10.101.104.1 l4_protocol=TCP source_port=2691 dest_port=4444 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7161342651608858624 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A



This thread was automatically locked due to age.
Parents Reply Children