Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 8183 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dropped packets on LAN to WAN traffic on port 443

John Baumann

Hello,

I am pretty new to the Sophos devices, and have been struggling to get answers on why we are seeing some dropped traffic. I've put in support cases on the issue, but they've not been able to help me.

I'm seeing a lot of dropped packets between our Exchange server and remote devices over port 443, but lately it's been causing issues with some tax software we utilize.

I'm using the console to monitor the drop-packet-capture command. The packets are dropped as "Invalid Traffic" and most do not contain any specific fw_rule_id, policytype, or other identifying information as follows;

l4_protocol=TCP source_port=62202 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

However, some of the traffic I've logged actually shows policytype=2 which seems to indicate some sort of IPS policy was applied, but the IPS log from the web interface does not show any corresponding traffic. I do not have any IPS policies applied on any firewall rules;

l4_protocol=TCP source_port=46733 dest_port=443 fw_rule_id=0 policytype=2 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=5 app_id=100 category_id=1026 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=100 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=1208485889 connid=1306160384 masterid=1306162464 status=398 state=4 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

I'm pretty frustrated at this point and just hoping somebody can help me. The Sophos XG has some pretty nice features, but these have not at all been worth the headaches it's caused so far.

Thanks.



This thread was automatically locked due to age.
Parents
  • +1

    I believe Exchange does RCP/MAPI over HTTPS ( https://technet.microsoft.com/en-us/library/dn635177%28v=exchg.160%29.aspx )

    This means the packet is not actually a valid HTTPS packet, so will be dropped.

    There are a few posts of other people with the issue on this forum, ( https://community.sophos.com/search?q=Exchange#serplanguages=English&serpcategory=content&serpgroup=34)

    I think turning off HTTPS Inspection would resolve the issue.

  • 0 in reply to Bohdan.S

    Thank you!

    I was seeing similar issues with Facebook app on iOS not loading images - accompanied by the logs like the one discussed here.

    2017-03-11 10:22:32 0102021 IP 10.0.17.53.50307 > 31.13.70.37.443 : proto TCP: R 861543794:861543794(0) win 8192 checksum : 53413

    0x0000:  4500 0028 b1fd 4000 4006 086c 0a00 1135  E..(..@.@..l...5

    0x0010:  1f0d 4625 c483 01bb 335a 1d72 d52c 528c  ..F%....3Z.r.,R.

    0x0020:  5014 2000 d0a5 0000                      P.......

    Date=2017-03-11 Time=10:22:32 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone_id=0 source_mac=40:4d:7f:bb:27:8f dest_mac=80:2a:a8:f0:01:8b l3_protocol=IP source_ip=10.0.17.53 dest_ip=31.13.70.37 l4_protocol=TCP source_port=50307 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

     

    Disabling HTTPS decryption helped. However it is not an optimal solution.

    I'm considering to make another rule specifically for Facebook IP ranges to skip HTTPS decryption but I'm not sure how often does that change and I definitely would not want to keep maintaining that list.

  • 0 in reply to saspus

    Don't make a rule for facebook IP, make a rule that has the source as the IOS box then create an ATP list of facebook and use that.

     

  • 0 in reply to rfcat_vk

    Thank you for the suggestion; I'm not sure I understand how it is supposed to work though - it seems to allow IGMP traffic if it is from iOS host and if it fits the Facebook app access profile; (I assume default behavior for that app rule should be Deny) - however how is that related to allowing HTTPS traffic that was dropped?

    Anyways, I've created the rule however I cannot test it anymore because the facebook app stopped exhibiting that issue  (I did not delete my "skip HTTPS decryption for Facebook IP ranges" rule, but I did disable it.). I do see dropped packets in the log again but now they don't seem to affect the behavior of the app in terms of loading images,etc.

    (I do see the Facebook app was updated one day prior to my experiments - perhaps Facebook rolled out backend update as well.. not sure). I'll keep watching and if this happens again re-enable the rule you've suggested and see if it helps.

    Thank you!

  • 0 in reply to saspus

    Very simply the information I posted allows facebook to work on an IOS device. which is the question you asked.

Reply Children
No Data