Hi All,
As we know understanding why a site is not loading is not easy with XG. I am getting crazy to troubleshoot why this url is not loading:
Here some screenshot.
This thread was automatically locked due to age.
Hi All,
As we know understanding why a site is not loading is not easy with XG. I am getting crazy to troubleshoot why this url is not loading:
Here some screenshot.
Hi Luk,
Take SSH to XG and go to option 4. System console. Type, drop-packet-capture 'host x.x.x.x or website. Post the logs if you discover any drops while requesting the web url. Drop packet capture command shall provide you 90% information on drop packets and their cause.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
IPS is not catching nothing.
Here the drop-packet output:
console> drop-packet-capture "host 104.84.191.93"
2016-06-20 12:10:35 0139021 IP 104.84.191.93.80 > 192.168.0.7.60217 : proto TCP: 2020576576:2020578016(1440) ack 999959239 win 991 checksum : 39638
0x0000: 4548 05c8 217b 4000 3706 324b 6854 bf5d EH..!{@.7.2KhT.]
0x0010: c0a8 0007 0050 eb39 786f 8d40 3b9a 2ac7 .....P.9xo.@;.*.
0x0020: 5010 03df 9ad6 0000 0a66 c2dc eaea 4afa P........f....J.
0x0030: 658e 5718 256b 9792 5edf 4d51 a462 cc7a e.W.%k..^.MQ.b.z
0x0040: bc3e b314 4173 7d59 adae e5d3 ba85 b086 .>..As}Y........
0x0050: 71ac 4bea ffaa 9eb8 4c81 91e9 57c8 f9c4 q.K.....L...W...
0x0060: 6158 bdd4 8257 36a8 554b a575 e6b7 6fee aX...W6.UK.u..o.
0x0070: e900 fef4 f8f8 bbc7 cf18 c1bd 6543 64d7 ............eCd.
0x0080: 6c57 e1fc 0de7 3c1a 355d e9bc be76 8567 lW....<.5]...v.g
0x0090: 2448 67e4 89e2 1996 75b5 fe62 d4ac aef5 $Hg.....u..b....
0x00a0: c6e5 64d1 a8a2 d546 d53a 4291 c57a ceb5 ..d....F.:B..z..
0x00b0: 1ed1 8852 1d19 64ab 6a89 1c24 41ae da92 ...R..d.j..$A...
0x00c0: eb1c 3c3a a927 b3ea 7224 cb0b 99d5 51e1 ..<:.'..r$....Q.
0x00d0: b715 1e76 8a8d 2e3b 9b7d be2b 13d5 f85a ...v...;.}.+...Z
0x00e0: e28b f8df 8571 f013 1d97 c113 4597 1fa4 .....q......E...
0x00f0: 6312 0111 a224 31e5 e4f7 a2c1 c0d5 a083 c....$1.........
0x0100: 8668 9a39 a92f ead1 a87e 75f0 e8b8 5ab0 .h.9./...~u...Z.
0x0110: 19f5 013a de1a 71f1 6aa9 1d32 5276 8ec4 ...:..q.j..2Rv..
0x0120: 3154 b7f4 f5b0 b318 39fd e988 026d abd2 1T......9....m..
0x0130: b41c 9e9d 17d3 dd2a d4a8 a7ca bed1 53a3 .......*......S.
0x0140: d85c 7a8b 5a2d 97b7 eaf7 6ca3 8db6 bb71 .\z.Z-....l....q
0x0150: 983b ccd0 713d 7b79 293e 7138 bf62 5327 .;..q={y)>q8.bS'
0x0160: bc16 cf72 5556 9757 62c3 3dbd c24b 7d5b ...rUV.Wb.=..K}[
0x0170: bf3e 3a08 8330 901a 412f 1464 399d 49d2 .>:..0..A/.d9.I.
0x0180: 234d da51 7368 b357 d57c 70b5 31a0 4b35 #M.Qsh.W.|p.1.K5
0x0190: c53f 3953 9ccd a7f5 6f25 b33b 29fd 55cb .?9S....o%.;).U.
0x01a0: 3370 105c 5423 9d7a 0af9 de9a 2e60 1b9f 3p.\T#.z.....`..
0x01b0: 590f 87bb c66d e44f d56d 58eb fff8 5e3f Y....m.O.mX...^?
0x01c0: 3b2a f371 0d9e 9583 7931 9144 a315 b5be ;*.q....y1.D....
0x01d0: 6a59 f3f9 b498 cc2e eae9 98a0 245f 09ac jY..........$_..
0x01e0: f7e3 b01d eae7 3088 fcd7 2ff7 d0e6 d364 ......0.../....d
0x01f0: 687f 2d3e 0faf 8bf9 5520 757f 48e3 762f h.->....U.u.H.v/
0x0200: 8ca3 a897 1cc6 493b 8ae3 3c4b 92e0 641d ......I;..<K..d.
0x0210: 9da4 5290 7603 c18a fb15 7c06 36cb fadd ..R.v.....|.6...
0x0220: 7e1e 81cd 7add be54 00db edf6 92bc 9b07 ~...z..T........
0x0230: a769 2835 92b0 971f c65d 613e 8ea9 7b22 .i(5.....]a>..{"
0x0240: d8b8 9725 691a 814e 7aa9 9248 faed 7e14 ...%i..Nz..H..~.
0x0250: 6661 9682 4d93 befc 0f32 ebf5 a533 ad1a fa..M....2...3..
0x0260: c742 4ae8 9e24 dd76 2f76 ace5 eda8 671c .BJ..$.v/v....g.
0x0270: 2759 3bef 8572 d53b 8cd3 7637 8ffa 5010 'Y;..r.;..v7..P.
0x0280: cee2 a81b 8769 0379 120b dd6e 2edc 470d .....i.y...n..G.
0x0290: acf4 90a5 ae6a d6ee a612 64c2 740d db6d .....j....d.t..m
0x02a0: e799 f420 d893 26ba df4e 4329 8884 44af ......&..NC)..D.
0x02b0: 1d25 6137 8bbb 60fb 3276 2a27 22d5 c8b0 .%a7..`.2v*'"...
0x02c0: c24e d84b 43ea 9e24 bdb6 44b3 bcdf eb1f .N.KC..$..D.....
0x02d0: 2669 3be9 f615 9d46 ed30 3101 2779 3be9 &i;....F.01.'y;.
0x02e0: f7fb 59be 8695 af71 9e44 dd08 5136 d0dd ..Y....q.D..Q6..
0x02f0: b6a0 c2b8 a782 a00f 9143 da6f 777b 3212 .........C.ow{2.
0x0300: a190 88d4 4536 6937 6962 1947 2f87 cdb5 ....E6i7ib.G/...
0x0310: ca32 8961 9a20 20b0 5994 c669 9c8b 01b6 .2.a....Y..i....
0x0320: 6337 e634 938e 938c de4e 2319 b462 85b2 c7.4.....N#..b..
0x0330: 4c7e 6c83 3e89 ba22 0093 718a a6f4 9465 L~l.>.."..q....e
0x0340: c1f6 d27e 9ac7 29d8 240d 55c8 ebd8 28b6 ...~..).$.U...(.
0x0350: 7140 6289 8edb fd30 56e6 9a84 451b 7b49 q@b....0V...E.{I
0x0360: af97 0989 0617 32e7 91c9 ed34 1627 911b ......2....4.'..
0x0370: 8984 f1f5 ba68 f189 a063 a700 8296 52d5 .....h...c....R.
0x0380: 41c1 a67d 3751 32ec bcaf c316 6c37 5436 A..}7Q2.....l7T6
0x0390: 9a58 48f4 9482 525e 5696 09ee f6bb c2f6 .XH...R^V.......
0x03a0: 1ae1 5824 27ac 85da 5d2f 4dd4 3e4e 44f7 ..X$'...]/M.>ND.
0x03b0: f22c 4435 e0b9 9bf4 54a0 3225 5194 f039 .,D5....T.2%Q..9
0x03c0: 4c53 9934 671f 8df9 5b61 4f44 b7f2 d48c LS.4g...[aOD....
0x03d0: a959 396b 47a9 a996 c853 ac4d eda6 896d .Y9kG....S.M...m
0x03e0: 2851 038d 8812 534f 5149 140b 1b13 45ed (Q....SOQI....E.
0x03f0: e7a6 9dc2 45da cb7b 3297 8789 1aa4 4e1f ....E..{2.....N.
0x0400: 0349 7b4e ca8c c92c 1d09 453a 2309 a333 .I{N...,..E:#..3
0x0410: 57b1 42ae 99d3 0a1b 639a ea6b c40a fb3d W.B.....c..k...=
0x0420: fa8a 0f45 f542 6720 422b 8fb7 b08c 4238 ...E.Bg.B+....B8
0x0430: 48ba 79b2 5659 5436 778e 296c cb78 3174 H.y.VYT6w.)l.x1t
0x0440: 9175 d295 ffa2 98de 706c e697 1aae 4dbe .u......pl....M.
0x0450: e2b7 4468 4d37 880e 9a74 76fb ccd3 dde8 ..DhM7...tv.....
0x0460: ff0a 7e88 f2b4 2dba 872b 14ee f25e 14e6 ..~...-..+...^..
0x0470: 9848 9eb5 1391 6cac 4371 5890 39fa a103 .H....l.CqX.9...
0x0480: 111f a2ba d2c0 ca40 d234 8bb4 c326 5a05 .......@.4...&Z.
0x0490: 6fbe bb89 164b ed99 e81b dd09 56c6 e728 o....K......V..(
0x04a0: 2f59 6b60 8532 f2ca ba6b 7585 7024 aa8e /Yk`.2...ku.p$..
0x04b0: 8233 7ddd bcab a203 2bf6 866e 8a82 885f .3}.....+..n..._
0x04c0: 30a3 6e60 c59f 487b c7db 122d e28a fa71 0.n`..H{...-...q
0x04d0: d8ef 7783 2813 972b a120 5b73 4fa2 ceed ..w.(..+..[sO...
0x04e0: 5078 c8d6 bcd3 4924 4a2d 4684 4536 2b13 Px....I$J-F.E6+.
0x04f0: 42c4 1284 82f8 82d4 f91b 51de 58a8 c66a B.........Q.X..j
0x0500: 36dd 3c4c 2204 2fae 35ee cb57 dc66 129b 6.<L"./.5..W.f..
0x0510: dd45 d852 c488 9b44 c58f 8b25 e649 bace .E.R...D...%.I..
0x0520: 81c4 9d2c 9520 94af 574e c481 64fd bc07 ...,....WN..d...
0x0530: 0b62 7546 5794 5b34 5342 c461 9ab7 c3a8 .buFW.[4SB.a....
0x0540: ab03 3e89 2282 5b57 ddb4 4482 5838 c58d ..>.".[W..D.X8..
0x0550: 4539 5aa8 fc36 0847 c25a bf2b d171 9d8b E9Z..6.G.Z.+.q..
0x0560: 5086 94a5 fd78 0d1d 85e2 8589 a5ea 35a3 P....x........5.
0x0570: c463 d376 bf1b 8691 b820 9d50 35bc 5351 .c.v.......P5.SQ
0x0580: 39b1 0025 2143 cabb 2961 5709 8744 74d1 9..%!C..)aW..Dt.
0x0590: 895e 3bec 9bb6 4561 24e1 5a08 ae61 fb62 .^;...Ea$.Z..a.b
0x05a0: 62fd 58bc 478c 4af4 9daf 3911 7437 a66e b.X.G.J...9.t7.n
0x05b0: 4228 cce3 65e5 5e2f 569f 8907 d2de 1a38 B(..e.^/V......8
0x05c0: 0c2c 310f bdc2 a6f8 .,1.....
Date=2016-06-20 Time=12:10:35 log_id=0139021 log_type=Firewall log_component= log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=1 outzone_id=0 source_mac=d4:ca:6d:b9:44:7e dest_mac=00:e0:b6:14:b4:21 l3_protocol=IP source_ip=104.84.191.93 dest_ip=192.168.0.7 l4_protocol=TCP source_port=80 dest_port=60217 fw_rule_id=7 policytype=2 live_userid=1 userid=6 user_gp=5 ips_id=5 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=3 category_id=6 bandwidth_id=45 up_classid=13 dn_classid=131081 source_nat_id=131081 cluster_node=1 inmark=0 nfqueue=0 scanflags=253 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=1 connid=134809865 masterid=937318080 status=1269778048 state=398 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
2016-06-20 12:10:48 0102021 IP 104.84.191.93.80 > 192.168.1.200.47719 : proto TCP: 2031450095:2031451535(1440) ack 615976661 win 1062 checksum : 17664
0x0000: 4548 05c8 f6eb 4000 3706 5cda 6854 bf5d EH....@.7.\.hT.]
0x0010: c0a8 01c8 0050 ba67 7915 77ef 24b7 0ed5 .....P.gy.w.$...
0x0020: 5010 0426 4500 0000 ad62 b847 c1fd 0b99 P..&E....b.G....
0x0030: 7ebe dfff 32f8 bbd5 f4d4 cad7 d7e2 b666 ~...2..........f
0x0040: 52e9 efff 3c5c 96f0 b928 25fc 4f4b 2b72 R...<\...(%.OK+r
Date=2016-06-20 Time=12:10:48 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone_id=0 source_mac=d4:ca:6d:b9:44:7e dest_mac=00:e0:b6:14:b4:21 l3_protocol=IP source_ip=104.84.191.93 dest_ip=192.168.1.200 l4_protocol=TCP source_port=80 dest_port=47719 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3618468792503369728 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
Hi,
The log states that the traffic is dropped due from fw_rule ID 7 due to IPS policy configured. Please
Date=2016-06-20 Time=12:10:35 log_id=0139021 log_type=Firewall log_component= log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=1 outzone_id=0 source_mac=d4:ca:6d:b9:44:7e dest_mac=00:e0:b6:14:b4:21 l3_protocol=IP source_ip=104.84.191.93 dest_ip=192.168.0.7 l4_protocol=TCP source_port=80 dest_port=60217 fw_rule_id=7 policytype=2 live_userid=1 userid=6 user_gp=5 ips_id=5 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=3 category_id=6 bandwidth_id=45 up_classid=13 dn_classid=131081
Check IPS logs and allow the signature inside the ISP policy.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Hi,
The log states that the traffic is dropped due from fw_rule ID 7 due to IPS policy configured. Please
Date=2016-06-20 Time=12:10:35 log_id=0139021 log_type=Firewall log_component= log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=1 outzone_id=0 source_mac=d4:ca:6d:b9:44:7e dest_mac=00:e0:b6:14:b4:21 l3_protocol=IP source_ip=104.84.191.93 dest_ip=192.168.0.7 l4_protocol=TCP source_port=80 dest_port=60217 fw_rule_id=7 policytype=2 live_userid=1 userid=6 user_gp=5 ips_id=5 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=3 category_id=6 bandwidth_id=45 up_classid=13 dn_classid=131081
Check IPS logs and allow the signature inside the ISP policy.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Sachin,
which is the trick to understand why the packet has been blocked from IPS in this case?
Drop-packet is helpful when traffic is blocked because the specific port is not opened but in this case fw_rule_id=7, how can we understand why the Policy ID 7 was blocing traffic due to IPS and not Web filter for example?
Thanks.
Hi Luk,
In such cases, Log_ID plays an important role. Check the System Log ID attached by Aditya in my troubleshooting guide and you will know the trick.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.