LAN->WAN Problem - DST Port 443

Hi,

I am also experiencing an issue with "Invalid TCP RST" with a specific device on my home network.

In my case, this is a Nixplay digital frame. The Nixplay gets its images online, so we're not able to update it through the XG. It obviously works fine on other non-XG connections.

2018-02-03 23:53:18Firewallmessageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="" out_interface="" src_mac="" src_ip="192.168.2.103" src_country="" dst_ip="52.39.143.80" dst_country="" protocol="TCP" src_port="47005" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP RST." appresolvedby="Signature"

As a side note, I am responsible for running a couple of Sophos UTM firewalls at my business and am testing XG at home to see if it makes sense for us to move over. I am running the latest firmware (SFOS 17.0.5 MR-5).

Thanks, Assi.

Hi,

I am also experiencing an issue with "Invalid TCP RST" with a specific device on my home network.

In my case, this is a Nixplay digital frame. The Nixplay gets its images online, so we're not able to update it through the XG. It obviously works fine on other non-XG connections.

2018-02-03 23:53:18Firewallmessageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="" out_interface="" src_mac="" src_ip="192.168.2.103" src_country="" dst_ip="52.39.143.80" dst_country="" protocol="TCP" src_port="47005" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP RST." appresolvedby="Signature"

As a side note, I am responsible for running a couple of Sophos UTM firewalls at my business and am testing XG at home to see if it makes sense for us to move over. I am running the latest firmware (SFOS 17.0.5 MR-5).

Thanks, Assi.

Please post a copy of your firewall rules.

Ian

Not sure if there's a better way of showing this. Basically, this is the top rule, which allows outbound https (among others).

Hi,

thank you for posting.

try adding a gateway.

Ian

Hi,

Thank you for that suggestion.

Unfortunately, adding a rule-specific gateway didn't help.

Is there a way of making Sophos aware of this issue?

Thanks, Assi.

Hi,

if you have business licence you can log a support call either through your reseller or directly.

Ian

Thanks again.

I am currently testing this at home before we consider moving our Sophos UTM business licenses over.

So, I don't have an XG business license.

Do I just hope Sophos stumbles on this issue and fixes it otherwise?

Thanks, Assi.

Hi,

I have studied your dropped packets in detail again along with the other poster with the same issue. The issue is that you are seeing packets being dropped for dead connections, the firewall rule = 0 is the default block rule.

So there is no real issue for Sophos to address, the firewall is doing its job of blocking dead/invalid connections. These entries started to appear after V17 beta because the logging level was increased.

Ian

Thanks Ian.

The thing is, that there is a real issue. It may be that the device in question is misusing the protocol, but it effectively is unable to communicate out to the Internet properly.

Reviewing the logs, I can see that some of its traffic is able to pass through, but most of its traffic is being dropped (to rule 0) based on this issue.

As mentioned, I can connect the device to a standard home router and everything works perfectly.

Thanks again for taking the time to look into this.

Assi.

In my case the messages appeared because of a new additional WAN connection.

The port of the Allow All rule was set to WAN Link. Some users experienced problems

with some web services. Their sessions expired shortly after logging into an account.

Created two additional rules on top for the affected web services to make the users only

use one gateway when logging in. Might not be the answer here. Thank you anyway, Ian!