Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 16806 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to figure out what is blocking specific traffic.

Nick Enslinger

I am a new user to Sophos XG but have experience with other routing equipment, primarily SonicWall. I apologize if this is lengthy, I just want to get all the information out.  I am attempting to figure out why specific traffic is getting blocked but the logs are proving to be useless.

I have a device on my network which is a HDHomerun Prime Tuner. Their software attempts to connect to it via my.hdhomerun.com from a PC on the local LAN. Using any other router, including Sophos UTM 9, I am able to see the device via this process, when using the XG it states that no device was detected. I can connect directly to the device using its IP but for their licensing practice it has to see it via the my.hdhomerun.com detection method.

I currently have IPS and Malware scanning disabled on the default lan to wan rule for testing this issue.

The logging shows nothing dropped, etc for the device IP. I attempted to do a packet capture but found no traffic going to that device IP.

Any suggestions on what to attempt next to get more info as to why something is getting blocked in this process?

Thanks in advance for any help!



This thread was automatically locked due to age.
Parents
  • 0

    Hi Nick,

    Is XG able to resolve my.hdhomerun.com? Check that in Network> DNS> Test Name Lookup. I took a look at the pcap attached and discover that the Server is sending spurious ACK. What happens when you disable sequence check and selective acknowledgement on XG?

    Show me a picture of the output by executing the command,

    show advanced-firewall

    Try this in the console,

    set advanced-firewall tcp-selective-acknowledgement off

    If that doesn't help turned in ON.

    Thanks

Reply
  • 0

    Hi Nick,

    Is XG able to resolve my.hdhomerun.com? Check that in Network> DNS> Test Name Lookup. I took a look at the pcap attached and discover that the Server is sending spurious ACK. What happens when you disable sequence check and selective acknowledgement on XG?

    Show me a picture of the output by executing the command,

    show advanced-firewall

    Try this in the console,

    set advanced-firewall tcp-selective-acknowledgement off

    If that doesn't help turned in ON.

    Thanks

Children
  • 0 in reply to sachingurung

    Hello,

    Yes, XG resolves the same IP from both my internal DNS and a public DNS server.

    Turned off TCP Selective Acknowledgement: No Change.

    Turned off TCP Seq checking: No Change.

    Turned both back on.

     

    Thanks for the help!

     - Nick

  • +1 in reply to Nick Enslinger

    Hi Nick,

    Can this be tested through a different ISP connection ? Also, what happens when you configure a Plain FW-rule on TOP? A plain fw-rule is when all the filters are set to 'NONE'.

    Thanks

  • 0 in reply to sachingurung

    Unfortunately there is no other ISP for me to use.  It does work with other firewall products, including your UTM 9 so I really don't think it would be an ISP issue at this point.

    I created a plain rule, with no improvement, which didn't really surprise me as I had all those filters disabled already for testing this issue.

    Thanks again.

     - Nick

  • 0 in reply to Nick Enslinger

    Correction, apparently I just did not wait long enough to test this as it is now working. So now I have this rule at the top of the list:

    If I re-enable other services on my default LAN to WAN rule this connection will still work, correct?  Any other suggestions of anything I should do?

    I still find it odd that when I unchecked those services from the default LAN to WAN rule it did not work, but as long as I have a solution, I'm pretty happy at this point.

  • 0 in reply to Nick Enslinger

    HI Nick,

    I guess that rule has no traffic through it. Check the traffic meter situated on the top left, below the FW-rule name. What made it working, was that the plain FW-rule? In that case, create a separate rule to bypass the traffic for this application by defining either source or destination in the respective zones keeping the filters set to "NONE" and place the FW-rule on TOP.

    Thanks

  • 0 in reply to sachingurung

    That rule was the plain rule that made it work, it just took 10 minutes for the device to retry the connection after creating the rule. It doesn't show any traffic in the screen shot, but looking at it now it shows traffic in and out.  This rule is what you describe, no filters, defined specifically for that device to the WAN.  I have enabled IPS, pharming protection, etc back for the rest of my traffic and this rule is still working to allow the service.

    Thanks again for all the help, I'm glad you were able to resolve this!

     - Nick