Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 12741 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User Portal not reachable anymore

FrankAndert

Hi everybody,

 

we have the UTM 9 as a VM.

From one day to another I'm not able to connect to the User Portal anymore.

 

- Version 9.406-3

- Two interfaces (one for the Service (SMTP), one for (internal) Management)

- User Portal is listening on the Service Interface on Port 443 to "any"

- Default Gateway is the Service Interface GW

 

I can see in the tcpdump, that there are packets leaving the correct interface (Service Interface) with the wrong IP (IP from the Management Interface).

 

There are no NAT-Rules configured, but there is a policy route for HTTPS on the Service Interface.

 

Any thoughts?

 

Cheers,

Frank



This thread was automatically locked due to age.
Parents
  • 0

    Frank,

    make sure no other services are using the same Port 443 (check both NAT and WAF).

    Also share a NAT screenshots.

    Thanks

  • 0 in reply to lferrara

    Luk,

    thanks for your answer.

    There are no other services running on https.

    (NAT)

    (FW)

     

    Cheers,

    Frank

  • 0 in reply to FrankAndert

    Hi Frank,

    I think your biggest problem is your return packets from the UTM leaving the correct interface with the wrong IP, could you share screenshots of your interface configuration as well as of the Policy route and whether you have any Gateway/Interface routes that could affect this?

    Emile

  • 0 in reply to Emile Belcourt

    (all interfaces)

    (eth0 - Management Interface)

    (eth1 - Service Interface)

    (Interface route)

    (Gateway route)

    We tried both routes, but still no access to the User Portal.

    tcpdumps

    14:49:46.686896 IP (tos 0x0, ttl 61, id 34356, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [.], cksum 0xba93 (correct), seq 2737385706, ack 2414046636, win 229, options [nop,nop,TS val 493729498 ecr 35994723], length 0
    14:49:46.687470 IP (tos 0x0, ttl 61, id 34357, offset 0, flags [DF], proto TCP (6), length 569)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [P.], cksum 0x7dc5 (correct), seq 2737385706:2737386223, ack 2414046636, win 229, options [nop,nop,TS val 493729498 ecr 35994723], length 517
    14:49:46.688768 IP (tos 0x0, ttl 61, id 34358, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [.], cksum 0xb7fb (correct), seq 2737386223, ack 2414046773, win 237, options [nop,nop,TS val 493729499 ecr 35994724], length 0
    14:49:46.689784 IP (tos 0x0, ttl 61, id 34359, offset 0, flags [DF], proto TCP (6), length 103)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [P.], cksum 0xaf6a (correct), seq 2737386223:2737386274, ack 2414046773, win 237, options [nop,nop,TS val 493729499 ecr 35994724], length 51
    14:49:46.689893 IP (tos 0x0, ttl 61, id 34360, offset 0, flags [DF], proto TCP (6), length 936)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [P.], cksum 0x2fa1 (correct), seq 2737386274:2737387158, ack 2414046773, win 237, options [nop,nop,TS val 493729499 ecr 35994724], length 884
    14:49:46.832119 IP (tos 0x0, ttl 61, id 34361, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [.], cksum 0x9892 (correct), seq 2737387158, ack 2414053700, win 345, options [nop,nop,TS val 493729534 ecr 35994760], length 0
    14:49:46.868489 IP (tos 0x0, ttl 61, id 34362, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [.], cksum 0x9863 (correct), seq 2737387158, ack 2414053737, win 345, options [nop,nop,TS val 493729544 ecr 35994760], length 0
    14:49:51.832889 IP (tos 0x0, ttl 61, id 34363, offset 0, flags [DF], proto TCP (6), length 83)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [P.], cksum 0x8978 (correct), seq 2737387158:2737387189, ack 2414053737, win 345, options [nop,nop,TS val 493730785 ecr 35994760], length 31
    14:49:51.832893 IP (tos 0x0, ttl 61, id 34364, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [F.], cksum 0x936a (correct), seq 2737387189, ack 2414053737, win 345, options [nop,nop,TS val 493730785 ecr 35994760], length 0
    14:49:51.834243 IP (tos 0x0, ttl 61, id 59515, offset 0, flags [DF], proto TCP (6), length 40)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [R], cksum 0xff2f (correct), seq 2737387190, win 0, length 0
    14:49:51.834245 IP (tos 0x0, ttl 61, id 59516, offset 0, flags [DF], proto TCP (6), length 40)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [R], cksum 0xff2f (correct), seq 2737387190, win 0, length 0
    14:49:51.858304 IP (tos 0x0, ttl 61, id 14608, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.58569 > 10.1.192.2.4444: Flags [S], cksum 0x1e57 (correct), seq 2222490359, win 29200, options [mss 1460,sackOK,TS val 493730791 ecr 0,nop,wscale 7], length 0
    14:49:51.859303 IP (tos 0x0, ttl 61, id 14609, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58569 > 10.1.192.2.4444: Flags [.], cksum 0xbec9 (correct), seq 2222490360, ack 1132427359, win 229, options [nop,nop,TS val 493730791 ecr 35996017], length 0
    14:49:51.859727 IP (tos 0x0, ttl 61, id 14610, offset 0, flags [DF], proto TCP (6), length 569)
    (Port 4444)
     
    14:55:03.243264 IP (tos 0x0, ttl 61, id 17407, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41424 > 10.1.194.2.443: Flags [S], cksum 0x5f73 (correct), seq 1054124034, win 29200, options [mss 1460,sackOK,TS val 493808637 ecr 0,nop,wscale 7], length 0
    14:55:03.494498 IP (tos 0x0, ttl 61, id 62891, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41425 > 10.1.194.2.443: Flags [S], cksum 0x649a (correct), seq 3352828311, win 29200, options [mss 1460,sackOK,TS val 493808700 ecr 0,nop,wscale 7], length 0
    14:55:04.240194 IP (tos 0x0, ttl 61, id 17408, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41424 > 10.1.194.2.443: Flags [S], cksum 0x5e79 (correct), seq 1054124034, win 29200, options [mss 1460,sackOK,TS val 493808887 ecr 0,nop,wscale 7], length 0
    14:55:04.492228 IP (tos 0x0, ttl 61, id 62892, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41425 > 10.1.194.2.443: Flags [S], cksum 0x63a0 (correct), seq 3352828311, win 29200, options [mss 1460,sackOK,TS val 493808950 ecr 0,nop,wscale 7], length 0
    14:55:06.244081 IP (tos 0x0, ttl 61, id 17409, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41424 > 10.1.194.2.443: Flags [S], cksum 0x5c84 (correct), seq 1054124034, win 29200, options [mss 1460,sackOK,TS val 493809388 ecr 0,nop,wscale 7], length 0
    14:55:06.496201 IP (tos 0x0, ttl 61, id 62893, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41425 > 10.1.194.2.443: Flags [S], cksum 0x61ab (correct), seq 3352828311, win 29200, options [mss 1460,sackOK,TS val 493809451 ecr 0,nop,wscale 7], length 0
    14:55:10.252066 IP (tos 0x0, ttl 61, id 17410, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41424 > 10.1.194.2.443: Flags [S], cksum 0x589a (correct), seq 1054124034, win 29200, options [mss 1460,sackOK,TS val 493810390 ecr 0,nop,wscale 7], length 0
    14:55:10.500215 IP (tos 0x0, ttl 61, id 62894, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41425 > 10.1.194.2.443: Flags [S], cksum 0x5dc2 (correct), seq 3352828311, win 29200, options [mss 1460,sackOK,TS val 493810452 ecr 0,nop,wscale 7], length 0
    (Port 443)
     

    Cheers,

    Frank

Reply
  • 0 in reply to Emile Belcourt

    (all interfaces)

    (eth0 - Management Interface)

    (eth1 - Service Interface)

    (Interface route)

    (Gateway route)

    We tried both routes, but still no access to the User Portal.

    tcpdumps

    14:49:46.686896 IP (tos 0x0, ttl 61, id 34356, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [.], cksum 0xba93 (correct), seq 2737385706, ack 2414046636, win 229, options [nop,nop,TS val 493729498 ecr 35994723], length 0
    14:49:46.687470 IP (tos 0x0, ttl 61, id 34357, offset 0, flags [DF], proto TCP (6), length 569)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [P.], cksum 0x7dc5 (correct), seq 2737385706:2737386223, ack 2414046636, win 229, options [nop,nop,TS val 493729498 ecr 35994723], length 517
    14:49:46.688768 IP (tos 0x0, ttl 61, id 34358, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [.], cksum 0xb7fb (correct), seq 2737386223, ack 2414046773, win 237, options [nop,nop,TS val 493729499 ecr 35994724], length 0
    14:49:46.689784 IP (tos 0x0, ttl 61, id 34359, offset 0, flags [DF], proto TCP (6), length 103)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [P.], cksum 0xaf6a (correct), seq 2737386223:2737386274, ack 2414046773, win 237, options [nop,nop,TS val 493729499 ecr 35994724], length 51
    14:49:46.689893 IP (tos 0x0, ttl 61, id 34360, offset 0, flags [DF], proto TCP (6), length 936)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [P.], cksum 0x2fa1 (correct), seq 2737386274:2737387158, ack 2414046773, win 237, options [nop,nop,TS val 493729499 ecr 35994724], length 884
    14:49:46.832119 IP (tos 0x0, ttl 61, id 34361, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [.], cksum 0x9892 (correct), seq 2737387158, ack 2414053700, win 345, options [nop,nop,TS val 493729534 ecr 35994760], length 0
    14:49:46.868489 IP (tos 0x0, ttl 61, id 34362, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [.], cksum 0x9863 (correct), seq 2737387158, ack 2414053737, win 345, options [nop,nop,TS val 493729544 ecr 35994760], length 0
    14:49:51.832889 IP (tos 0x0, ttl 61, id 34363, offset 0, flags [DF], proto TCP (6), length 83)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [P.], cksum 0x8978 (correct), seq 2737387158:2737387189, ack 2414053737, win 345, options [nop,nop,TS val 493730785 ecr 35994760], length 31
    14:49:51.832893 IP (tos 0x0, ttl 61, id 34364, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [F.], cksum 0x936a (correct), seq 2737387189, ack 2414053737, win 345, options [nop,nop,TS val 493730785 ecr 35994760], length 0
    14:49:51.834243 IP (tos 0x0, ttl 61, id 59515, offset 0, flags [DF], proto TCP (6), length 40)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [R], cksum 0xff2f (correct), seq 2737387190, win 0, length 0
    14:49:51.834245 IP (tos 0x0, ttl 61, id 59516, offset 0, flags [DF], proto TCP (6), length 40)
        10.128.12.43.58566 > 10.1.192.2.4444: Flags [R], cksum 0xff2f (correct), seq 2737387190, win 0, length 0
    14:49:51.858304 IP (tos 0x0, ttl 61, id 14608, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.58569 > 10.1.192.2.4444: Flags [S], cksum 0x1e57 (correct), seq 2222490359, win 29200, options [mss 1460,sackOK,TS val 493730791 ecr 0,nop,wscale 7], length 0
    14:49:51.859303 IP (tos 0x0, ttl 61, id 14609, offset 0, flags [DF], proto TCP (6), length 52)
        10.128.12.43.58569 > 10.1.192.2.4444: Flags [.], cksum 0xbec9 (correct), seq 2222490360, ack 1132427359, win 229, options [nop,nop,TS val 493730791 ecr 35996017], length 0
    14:49:51.859727 IP (tos 0x0, ttl 61, id 14610, offset 0, flags [DF], proto TCP (6), length 569)
    (Port 4444)
     
    14:55:03.243264 IP (tos 0x0, ttl 61, id 17407, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41424 > 10.1.194.2.443: Flags [S], cksum 0x5f73 (correct), seq 1054124034, win 29200, options [mss 1460,sackOK,TS val 493808637 ecr 0,nop,wscale 7], length 0
    14:55:03.494498 IP (tos 0x0, ttl 61, id 62891, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41425 > 10.1.194.2.443: Flags [S], cksum 0x649a (correct), seq 3352828311, win 29200, options [mss 1460,sackOK,TS val 493808700 ecr 0,nop,wscale 7], length 0
    14:55:04.240194 IP (tos 0x0, ttl 61, id 17408, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41424 > 10.1.194.2.443: Flags [S], cksum 0x5e79 (correct), seq 1054124034, win 29200, options [mss 1460,sackOK,TS val 493808887 ecr 0,nop,wscale 7], length 0
    14:55:04.492228 IP (tos 0x0, ttl 61, id 62892, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41425 > 10.1.194.2.443: Flags [S], cksum 0x63a0 (correct), seq 3352828311, win 29200, options [mss 1460,sackOK,TS val 493808950 ecr 0,nop,wscale 7], length 0
    14:55:06.244081 IP (tos 0x0, ttl 61, id 17409, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41424 > 10.1.194.2.443: Flags [S], cksum 0x5c84 (correct), seq 1054124034, win 29200, options [mss 1460,sackOK,TS val 493809388 ecr 0,nop,wscale 7], length 0
    14:55:06.496201 IP (tos 0x0, ttl 61, id 62893, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41425 > 10.1.194.2.443: Flags [S], cksum 0x61ab (correct), seq 3352828311, win 29200, options [mss 1460,sackOK,TS val 493809451 ecr 0,nop,wscale 7], length 0
    14:55:10.252066 IP (tos 0x0, ttl 61, id 17410, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41424 > 10.1.194.2.443: Flags [S], cksum 0x589a (correct), seq 1054124034, win 29200, options [mss 1460,sackOK,TS val 493810390 ecr 0,nop,wscale 7], length 0
    14:55:10.500215 IP (tos 0x0, ttl 61, id 62894, offset 0, flags [DF], proto TCP (6), length 60)
        10.128.12.43.41425 > 10.1.194.2.443: Flags [S], cksum 0x5dc2 (correct), seq 3352828311, win 29200, options [mss 1460,sackOK,TS val 493810452 ecr 0,nop,wscale 7], length 0
    (Port 443)
     

    Cheers,

    Frank

Children
  • 0 in reply to FrankAndert

    Hi, 

    You don't need a policy or gateway route to get the web admin access. Please remove them as they might cause the issue.

    Did you tried restarting httpd services and edit the management interface and select the ipv4 default gateway option.

    Thanks

  • 0 in reply to FrankAndert

    Hi, Frank, and welcome to the UTM Community!

    Please try again while watching the Live Logs mentioned in #1 in Rulz.  Any clues from that?

    Cheers - Bob

  • 0 in reply to sachingurung

    There is no problem by reaching the Web Admin Portal, but the User Portal. It won't work either with the disabled Policy/Gateway Routes.


    I did and did a reboot, too. Still no connection to the User Portal.

    mx:/root # tcpdump -ni eth0 host 10.1.194.2
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    14:13:49.619520 IP 10.1.194.2.443 > 10.128.12.64.50642: Flags [S.], seq 618473601, ack 48106500, win 28960, options [mss 1460,sackOK,TS val 78655457 ecr 1206558579,nop,wscale 7], length 0

    Maybe this is related to this "Static Route" to get access to the Web Admin Portal.

    There is Port 8443 configured for Remote Access. And I just found out, that the User portal is reachable for every other subnet, than our Adminsubnet.

     

    Suggestions are very welcome.

     

    Cheers,

    Frank

  • 0 in reply to FrankAndert

    Frank, please disable/delete all of your manually-created Static Routes.  WebAdmin automatically creates all necessary routes between subnets defined on its interfaces.

    Any luck now?  If not, please insert a picture of the 'Global' tab of 'Management >> User Portal'.

    Cheers - Bob