Crashplan Connectivity Issues with XG 16

Hi,

The traffic is denied as invalid which means there is no firewall rule to forward the traffic. Create a plain firewall rule at the TOP and check the connectivity.

Fw Rule: Lan > any > Wan | webfilter : None, Application filter: None

Thanks

Hi Sachin,

I have those rules already, according to the firewall.

Investigating it a little more last night to find the outbound traffic is flowing though fine, it seems to not allow it back in.

I tried an any rule inbound from crashplan too:

And the rule that allows static IP's out with nothing below the rule except NAT policy:

The FW rule here in logs shows allowed out, but I don't see the traffic back or If I do manage to get it to show (playing around) it'll show denied

Thanks for your help

Hi David,

Looking at the logs again, 

Date=2016-10-12 Time=08:08:00 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=00:08:9b:xx:xx:xx dest_mac=e4:8d:8c:xx:xx:xx l3_protocol=IP source_ip=192.168.1.110 dest_ip=216.17.8.48 l4_protocol=TCP source_port=42022 dest_port=4287 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

The traffic is dropped as an invalid traffic as no firewall rule is found to forward the connection. Can you also try to flush the v4 connection table, take SSH to XG and execute,

system diagnostics utilities connections v4 delete src_ip x.x.x.x (execute it several times on src and dest bothways). Also, I read some articles for crashplan and referred them in my previous post can you verify the information?

Thanks

The traffic is dropped as an invalid traffic as no firewall rule is found to forward the connection. Can you also try to flush the v4 connection table, take SSH to XG and execute,

system diagnostics utilities connections v4 delete src_ip x.x.x.x (execute it several times on src and dest bothways). Also, I read some articles for crashplan and referred them in my previous post can you verify the information?

No rule?  It's right here and worked perfectly in v15.  Other users have reported the same thing.

The drop log was taken immediately after booting from v15 to v16.

The one CP reference is for an explicit proxy, so that doesn't apply to my configuration.

It's exactly the same as David all that's different is the ip it's going to as i'm connected to another crash plan server- 

2016-10-12 17:47:21 0102021 IP 162.222.42.207.443 > 10.10.7.1.41464 : proto TCP: R 3399830217:3399830217(0) checksum : 6150

0x0000:  4500 0028 c2bd 4000 3506 a45a a2de 2acf  E..(..@.5..Z..*.

0x0010:  0a0a 0701 01bb a1f8 caa5 4ac9 0000 0000  ..........J.....

0x0020:  5004 0000 1806 0000                      P.......

Date=2016-10-12 Time=17:47:21 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out_dev= inzone_id=0 outzone_id=0 source_mac=7c:4c:a5:8b:8e:98 dest_mac=00:50:56:a5:3c:0f l3_protocol=IP source_ip=162.222.42.207 dest_ip=10.10.7.1 l4_protocol=TCP source_port=443 dest_port=41464 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2016-10-12 17:47:21 0102021 IP 162.222.42.207.443 > 10.10.7.1.41464 : proto TCP: R 3399830217:3399830217(0) checksum : 6150

0x0000:  4500 0028 c2be 4000 3506 a459 a2de 2acf  E..(..@.5..Y..*.

0x0010:  0a0a 0701 01bb a1f8 caa5 4ac9 0000 0000  ..........J.....

0x0020:  5004 0000 1806 0000                      P.......

Date=2016-10-12 Time=17:47:21 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out_dev= inzone_id=0 outzone_id=0 source_mac=7c:4c:a5:8b:8e:98 dest_mac=00:50:56:a5:3c:0f l3_protocol=IP source_ip=162.222.42.207 dest_ip=10.10.7.1 l4_protocol=TCP source_port=443 dest_port=41464 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

And just to demonstrate connectivity per the CrashPlan KB:

---------------

$ telnet central.crashplan.com  443
Trying 216.17.8.8...
Connected to central.crashplan.com.
Escape character is '^]'.



?cA-18782|com.code42.messaging.security.SecurityProviderReadyMessage¶¢"=s:́£
                                                                             ?!ùª?nDZ?Y0àã¿XÂÔLH?

---------------

But the actual application data stream gets smacked by v16 to Invalid Traffic.

With 100% identical firewall rules, I revert back to v15 and everything works. 

I Understand sachingurung, you have bigger priorities here but is there anything you can do or update us on?

Not having cloud backups for business/home is something we will have to revert the firewall because of.

It seems like such a waste as 16 already performs better and is better as a whole.

Thanks!

Just stumbled upon your thread, as I have been searching for a couple days. 

I used splunk to analyze the logs and found also that the outbound connections to crashplan.com were allowed but the inbound was denied as invalid traffic. 

I found a temp fix, it involves disabling a granular application control feature (this is a server network, so no application policies applied)... but I have crashplan working now:

I followed the quick step in this workaround, and within seconds it connected and synced.

https://community.sophos.com/kb/en-us/125458

Looking forward to the next fix...  such a great product.

Before finding this thread I ran across a curious categorization under Applications -> Application List.  If I apply a filter to the name of "crash" one item comes up and has a very strange categorization.

Why is CrashPlan a "High" risk application?  And does that affect how Sophos XG filters the traffic?

Thanks for posting this. Looks like problem still exists in SFOS 16.05.0 even though known issue was n/a for the release notes.

Still there yes? I asked in the release thread. Seems severeal issues are still "valid" - community.sophos.com/.../sfos-16-05-0-released 

I have a XG125w running SFOS 16.05.1 MR-1 and I can confirm that this is ABSOLUTELY still an issue...worked fine on v15.  I used the kb article to get around it.

I have a XG125w running SFOS 16.05.1 MR-1 and I can confirm that this is ABSOLUTELY still an issue...worked fine on v15.  I used the kb article to get around it.