new XG installs are causing ScreenConnect 'last connected' timer resets even though NO security services are enabled.

Hi Paul,

Check #1 in my guide here. Capture drops on the destination/ source IP and port. If you do not see any drops, take a pcap and verify who generates the RESET packet.

Thanks

I used the dropped packet inspection in the console to find many packets being dropped from my machines with screenconnect, attempting to communicate with my screenconnect server. Here is a sample of the console output:

As you can see, there are entries on all of these that say 'log_component=Invalid_Traffic' and 'log_subtype=Denied'...this looks promising...ideas? 192.168.50.10 is my internal screenconnect server.

Sophos Firmware Version SFOS 16.05.0 GA

console> drop-packet-capture host 192.168.50.10
% Error: Unknown Parameter '192.168.50.10'
console> drop-packet-capture 'host 192.168.50.10'
2017-02-01 10:57:46 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: 1954977119:1954
977120(1) ack 1048002705 win 258 checksum : 39341
0x0000: 4500 0029 7d80 4000 7a06 df87 47d3 6941 E..)}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 955f 3e77 4091 ..2.....t.._>w@.
0x0020: 5010 0102 99ad 0000 00 P........
Date=2017-02-01 Time=10:57:46 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:57:48 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: 1954977119:1954
977120(1) ack 1048002705 win 258 checksum : 39341
0x0000: 4500 0029 7d81 4000 7a06 df86 47d3 6941 E..)}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 955f 3e77 4091 ..2.....t.._>w@.
0x0020: 5010 0102 99ad 0000 00 P........
Date=2017-02-01 Time=10:57:48 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:57:49 0102021 IP 192.168.10.105.61033 > 192.168.50.10.80 : proto TCP: 2387610847:2387
610848(1) ack 1784126408 win 255 checksum : 24839
0x0000: 4500 0029 7bbc 4000 8006 c14e c0a8 0a69 E..){.@....N...i
0x0010: c0a8 320a ee69 0050 8e50 0cdf 6a57 9bc8 ..2..i.P.P..jW..
0x0020: 5010 00ff 6107 0000 00 P...a....
Date=2017-02-01 Time=10:57:49 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone
_id=0 source_mac=00:25:b3:c8:60:74 dest_mac=80:2a:a8:f0:c4:3b l3_protocol=IP source_ip=192.168.10.10
5 dest_ip=192.168.50.10 l4_protocol=TCP source_port=61033 dest_port=80 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:57:50 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: 1954977119:1954
977120(1) ack 1048002705 win 258 checksum : 39341
0x0000: 4500 0029 7d82 4000 7a06 df85 47d3 6941 E..)}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 955f 3e77 4091 ..2.....t.._>w@.
0x0020: 5010 0102 99ad 0000 00 P........
Date=2017-02-01 Time=10:57:50 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:57:52 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: 1954977119:1954
977120(1) ack 1048002705 win 258 checksum : 39341
0x0000: 4500 0029 7d83 4000 7a06 df84 47d3 6941 E..)}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 955f 3e77 4091 ..2.....t.._>w@.
0x0020: 5010 0102 99ad 0000 00 P........
Date=2017-02-01 Time=10:57:52 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:57:54 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: 1954977119:1954
977120(1) ack 1048002705 win 258 checksum : 39341
0x0000: 4500 0029 7d84 4000 7a06 df83 47d3 6941 E..)}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 955f 3e77 4091 ..2.....t.._>w@.
0x0020: 5010 0102 99ad 0000 00 P........
Date=2017-02-01 Time=10:57:54 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:57:56 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: 1954977119:1954
977120(1) ack 1048002705 win 258 checksum : 39341
0x0000: 4500 0029 7d85 4000 7a06 df82 47d3 6941 E..)}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 955f 3e77 4091 ..2.....t.._>w@.
0x0020: 5010 0102 99ad 0000 00 P........
Date=2017-02-01 Time=10:57:56 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:57:58 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: 1954977119:1954
977120(1) ack 1048002705 win 258 checksum : 39341
0x0000: 4500 0029 7d86 4000 7a06 df81 47d3 6941 E..)}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 955f 3e77 4091 ..2.....t.._>w@.
0x0020: 5010 0102 99ad 0000 00 P........
Date=2017-02-01 Time=10:57:58 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:58:00 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: 1954977119:1954
977120(1) ack 1048002705 win 258 checksum : 39341
0x0000: 4500 0029 7d87 4000 7a06 df80 47d3 6941 E..)}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 955f 3e77 4091 ..2.....t.._>w@.
0x0020: 5010 0102 99ad 0000 00 P........
Date=2017-02-01 Time=10:58:00 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:58:02 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: 1954977119:1954
977120(1) ack 1048002705 win 258 checksum : 39341
0x0000: 4500 0029 7d88 4000 7a06 df7f 47d3 6941 E..)}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 955f 3e77 4091 ..2.....t.._>w@.
0x0020: 5010 0102 99ad 0000 00 P........
Date=2017-02-01 Time=10:58:02 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:58:04 0102021 IP 71.211.105.65.59059 > 192.168.50.10.443 : proto TCP: R 1954977120:195
4977120(0) checksum : 39595
0x0000: 4500 0028 7d89 4000 7a06 df7f 47d3 6941 E..(}.@.z...G.iA
0x0010: c0a8 320a e6b3 01bb 7486 9560 3e77 4091 ..2.....t..`>w@.
0x0020: 5014 0000 9aab 0000 P.......
Date=2017-02-01 Time=10:58:04 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone
_id=0 source_mac=80:2a:a8:f0:c4:3b dest_mac=00:15:5d:01:79:02 l3_protocol=IP source_ip=71.211.105.65
dest_ip=192.168.50.10 l4_protocol=TCP source_port=59059 dest_port=443 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:58:34 0102021 IP 192.168.10.105.61033 > 192.168.50.10.80 : proto TCP: 2387610847:2387
610848(1) ack 1784126408 win 255 checksum : 24839
0x0000: 4500 0029 7c44 4000 8006 c0c6 c0a8 0a69 E..)|D@........i
0x0010: c0a8 320a ee69 0050 8e50 0cdf 6a57 9bc8 ..2..i.P.P..jW..
0x0020: 5010 00ff 6107 0000 00 P...a....
Date=2017-02-01 Time=10:58:34 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone
_id=0 source_mac=00:25:b3:c8:60:74 dest_mac=80:2a:a8:f0:c4:3b l3_protocol=IP source_ip=192.168.10.10
5 dest_ip=192.168.50.10 l4_protocol=TCP source_port=61033 dest_port=80 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 10:59:19 0102021 IP 192.168.10.105.61033 > 192.168.50.10.80 : proto TCP: 2387610847:2387
610848(1) ack 1784126408 win 255 checksum : 24839
0x0000: 4500 0029 7caa 4000 8006 c060 c0a8 0a69 E..)|.@....`...i
0x0010: c0a8 320a ee69 0050 8e50 0cdf 6a57 9bc8 ..2..i.P.P..jW..
0x0020: 5010 00ff 6107 0000 00 P...a....
Date=2017-02-01 Time=10:59:19 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone
_id=0 source_mac=00:25:b3:c8:60:74 dest_mac=80:2a:a8:f0:c4:3b l3_protocol=IP source_ip=192.168.10.10
5 dest_ip=192.168.50.10 l4_protocol=TCP source_port=61033 dest_port=80 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 11:00:04 0102021 IP 192.168.10.105.61033 > 192.168.50.10.80 : proto TCP: 2387610847:2387
610848(1) ack 1784126408 win 255 checksum : 24839
0x0000: 4500 0029 7cf8 4000 8006 c012 c0a8 0a69 E..)|.@........i
0x0010: c0a8 320a ee69 0050 8e50 0cdf 6a57 9bc8 ..2..i.P.P..jW..
0x0020: 5010 00ff 6107 0000 00 P...a....
Date=2017-02-01 Time=11:00:04 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone
_id=0 source_mac=00:25:b3:c8:60:74 dest_mac=80:2a:a8:f0:c4:3b l3_protocol=IP source_ip=192.168.10.10
5 dest_ip=192.168.50.10 l4_protocol=TCP source_port=61033 dest_port=80 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 11:00:50 0102021 IP 192.168.10.105.61033 > 192.168.50.10.80 : proto TCP: 2387610847:2387
610848(1) ack 1784126408 win 255 checksum : 24839
0x0000: 4500 0029 7d42 4000 8006 bfc8 c0a8 0a69 E..)}B@........i
0x0010: c0a8 320a ee69 0050 8e50 0cdf 6a57 9bc8 ..2..i.P.P..jW..
0x0020: 5010 00ff 6107 0000 00 P...a....
Date=2017-02-01 Time=11:00:50 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone
_id=0 source_mac=00:25:b3:c8:60:74 dest_mac=80:2a:a8:f0:c4:3b l3_protocol=IP source_ip=192.168.10.10
5 dest_ip=192.168.50.10 l4_protocol=TCP source_port=61033 dest_port=80 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

2017-02-01 11:01:35 0102021 IP 192.168.10.105.61033 > 192.168.50.10.80 : proto TCP: R 2387610848:238
7610848(0) checksum : 25090
0x0000: 4500 0028 7d89 4000 8006 bf82 c0a8 0a69 E..(}.@........i
0x0010: c0a8 320a ee69 0050 8e50 0ce0 6a57 9bc8 ..2..i.P.P..jW..
0x0020: 5014 0000 6202 0000 P...b...
Date=2017-02-01 Time=11:01:35 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone
_id=0 source_mac=00:25:b3:c8:60:74 dest_mac=80:2a:a8:f0:c4:3b l3_protocol=IP source_ip=192.168.10.10
5 dest_ip=192.168.50.10 l4_protocol=TCP source_port=61033 dest_port=80 fw_rule_id=0 policytype=0 liv
e_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_
src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 catego
ry_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0
scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0
state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

Similar behavior for users with ScreenConnect servers hosted in Amazon Web Services - these are servers used by the Cloud accounts in Screen Connect.   I posted my logs with similar findings.  My conclusion was it was a bug in the XG firmwares - possibly in their implementation of masquerading and IP chains, which is how some Linux distros handle firewalls. 

It did not appear to be an issue with the UTM Sophos hardware.    The direction of the the XG moving to two methods of creating rules (Business Application vs Networking rule) did not account for the behavior of ScreenConnect sending a "check-in" request via port 443/80.   Might be due to a stateful packet inspection routine that is used that mistakes the multiple (every 5 minute) check-ins and replies as a type of DOS attack.  Or possibly the reverse logic, check to see if any of the requests adhere to any known rules and what's left is an attack and denied.

Thing is, I noticed this behavior when i had xg firewalls at client's sites, but not at my office (we self host the screenconnect server). So, in my mind that means that the issue is happening when the 'every 5-minute check-in' signal from the clients are going OUTBOUND through the client's XG firewall, and I have those rules set up to allow all...There has to be something inherently broken deep down in the firmware...and that really sucks becasue I have already installed 5 of these things in different client's offices plus my office in the last 2 months...That's a lot of money invested in something that is BROKEN...Sophos, are you listening? This thing is broken and it NEEDS TO BE FIXED!! /r

This has now become a bigger issue. I updated my screenconnect server to the latest version. When you do so, the clients all are supposed to automatically upgrade as well. Well, now they can not. The two machines I have that have traffic that does not need to go through the firewall upgraded on their own but every other machine has not, and will not. This has passed from an inconvenience of not seeing accurate connection times to not having up-to-date client software on hundreds of machines!

Light at the end of the tunnel... hopefully. 

Here's just an idea of what might be an optional solution.  Use an optional port (other than default 80/443 8040/8041).  You will have to reconfigure your SC relay server to use a different port (or port forward inbound traffic for your SC Server). 

1) Change the port on the SC server

2) Add/change rules on the server's firewall to forward both old port+forward to new port / forward the ports. 

3) On the SC Host screen website, do a "Re-install" on a client that sits behind one of your deployed Sophos firewalls.  Just test one.  Make sure it has Remote Desktop enabled, just in case you need to get back into that machine from another one on site to revert back to a previous settings.

Change ports for ScreenConnect On-Premise

https://help.screenconnect.com/index.php?title=Change_ports_for_ScreenConnect_On-Premise

If you need to change the entire URL for relay:, Change relay address for ScreenConnect On-Premise access sessions

https://help.screenconnect.com/Changing_the_relay_address_for_unattended_access_clients

On the SC server, the web.config file is found C:\Program Files (x86)\ScreenConnect

You would then run the "Re-install" from the host screen.  Here's a forum that might provide some insight on changing all the host clients to look for the new relay server port

Check out the last post from RazorbaQ for a skinny on the process.

http://forum.screenconnect.com/yaf_postst727_Quick-Relay-Port-URL-Changer.aspx

You are suggesting changing the ports becasue you think there may be something 'special' about the standard web ports getting filtered differently? I understand that thought process, and I am willing to look into it by changing one internally, but since I can not trigger the 'reinstall' command from here (something is blocking it), I couldn't roll this out to all 500+ unattended machines.

You may try a redeploy of your screenconnect.msi via script.  Use msiexec to deploy it.  It supports usage of a web server stored msi file.  Something like this.

msiexec /i server/.../package.msi /q

 

 

I changed the listen and relay uri on the screenconnect server to listen on 4480 and 4443 instead of 80 and 443. Then, in my gateway (a unifi USG, not the sophos) I forwarded ports 80 and 4480 to 80, plus 443 and 4443 to 443 on the internal server. This way, old clients that still call back to the old ports of 80 and 443 can get through, but once inside the network, pass through the sophos as 4480 and 4443...the sophos is in bridge mode. That seems to be working! The timers are counting up and not resetting. However, clients that have a sophos on their end still have the reset issue. I will have to remote into those to install the client with the updated ports but those are MUCH less numerous than the hundreds of single clients I also have. The clients dont seem to be updating on their own, however I have seen a few that are, so maybe they are and just taking forever. I will report back soon.

Just out of curiosity, does turning off micro app discovery from the console help this issue:

console > system application_classification microapp-discovery off

verify by:

console > system application_classification microapp-discovery show

turn back on after testing by:

console > system application_classification microapp-discovery on

Just out of curiosity, does turning off micro app discovery from the console help this issue:

console > system application_classification microapp-discovery off

verify by:

console > system application_classification microapp-discovery show

turn back on after testing by:

console > system application_classification microapp-discovery on

I couldn't get those commands to work, my console wont open, and I can't reboot the FW right now...Anyway, I know that micro app discovery is OFF in all of the app filter policies, and has been since the beginning.

That being said, this issue is SOLVED! After changing the listening ports on the screenconnect server, adding those to the forwarded ports for outside traffic (see above post for details), the server started slowly updating all of the external clients to the new 6.1 version, with the updated relay port. After 24 hours, all clients that are attached have an updated version of the software, and the counters are all working correctly, even if the distant network also has a sophos.

In the end the solution is a work-around. For some reason, the XG is still 'scanning' or manipulating traffic on the common web ports of 80 and 443 (and possibly others) even when ALL filtering is disabled on the firewall rules. 

SOPHOS, PLEASE GIVE US THE ABILITY TO TRULY TURN OFF ALL TRAFFIC MANIPULATION!

It is well known that turning off the micro app discovery in the app filter policies does not really fix the issues.  You need to turn off micro app discovery on the console to really test.  If switching the ports helped the issues, it does point to micro app discovery to me.  I agree with you that this is a major issue and one  that Sophos has said they are addressing in v17.  Let's hope it gets fixed.

Glad to hear.  For those who have ScreenConnect on-premise and who's host clients are behind a Sophos XG firewall, this is a solution. 

Note: this does not solve the issue for those who have ScreenConnect cloud accounts.  

So it turns out even when you have all security settings off, indeed the XG is still proxying connections that go via certain ports - this means any connection going via the Web Proxy Configuration's Allowed Destination Ports found under Protect>Web>Advanced and shown here:

While it may not necessarily be doing anything to the traffic (such as scanning) the connection is still proxied. Using conntrack on the device command line showed two active flows as part of the connection:

The first flow shows the client device (10.5.11.3) attempting to communicate with our SC server, but the reply-src has been adjusted to the IP of the XG (10.5.11.250)
In the second flow, the XG itself is there as orig-src, with the correct reply-src and reply-dst. This is the proxied connection that actually leaves the network.

The solution to this is to add your SC server as an exception to the Web Proxying - this is under Protect>Web>Exceptions:

And after configuring this exception, waiting 5 minutes for the session to reconnect again, there is only one flow in conntrack:

This time, the orig-dst and reply-src are both the IP of the SC server, meaning the XG is not proxying the connection.

And shown here in the SC timeline, the connection resetting every 5 minutes before adding the exception, and then 28 minutes where it was fine (until I closed the session)

It should also be noted, this XG does have micro-app discovery disabled, as that was causing plenty of other random little problems which all went away once disabled.

Hope this helps everyone!

Thank you! I will give this a shot once I have a chance to do the changes.