Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 2545 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG blocks its own NTP queries

RobLP
ASG has begun blocking its own queries to external NTP servers. ASG "System Settings", "Time and Date" settings are configured to use "pool.ntp.org" time servers. When I click "Test Configured Servers", 3 out of 4 return "failed" result and the one return indicates minutes of offset.
Have also tried configuring for "north-america.pool.ntp.org".

LOG EXTRACT (entries are contiguous):
20:21:14  Default DROP  UDP   :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:23:29  Default DROP  UDP   :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:23:45  Default DROP  UDP   :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:24:01  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:26:10  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:26:26  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:26:42  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:28:52  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:29:08  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

NTP function previously worked well (ie, 


This thread was automatically locked due to age.
  • 0
    Rob, take a look at the Intrusion Prevention log; when things suddenly stop working, it's usually a new Snort rule.

    If that doesn't give you the info you need, please show the same lines above from the full log; the live log is pretty worthless for analytical work.

    Cheers - Bob
  • 0
    Bob, thanks for your reply.
    The IPS log is empty, which is consistent with the dashboard showing "IPS: 0 attacks blocked". Meanwhile, the Packet Filter log continues recording default block port 123 messages as follows: 

    EXTRACT FROM FULL LOG (entries are contiguous):
    2010:09:18-00:01:56 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:02:12 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:02:28 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:04:40 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:04:56 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:05:12 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:07:24 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    As you apparently do, I suspect a faulty PF Rule 60003 update has caused this problem.
    If memory serves, rule 60003 cannot be disabled; but, I want it enabled in any case.

    Thanks again.
    Rob

    ASG 8.001, Pattern 20234
  • 0 in reply to BAlfson
    BTW: Don't know if you've seen my post re my ACC false-blocking problem, which also may be related to a faulty-pattern: 
    https://community.sophos.com/products/unified-threat-management/astaroorg/f/61/t/56858
    Rob
  • 0 in reply to RobLP
    BTW: Don't know if you've seen my post re my ACC false-blocking problem, which also may be related to a faulty-pattern: 
    http://www.astaro.org/other-astaro-products/astaro-command-center-acc/33918-acc-drops-port-4433-traffic-our-asgs.html.
    Rob


    From the noted ACC thread:
    The dropped packages are due to a bug in setting up the packet filter rules for the devices. 

    The problem:
    If there is a DNS host definition which is bound to the Uplink Interface no packet filter rule is generated.
    Workaround:
    Set the interface for the DNS hosts you use to Any.

    Thorsten


    The same workaround fixes the ASG (and ACC) time-server access problem, which started this thread.

    Thanks again, Thorsten! 
    Rob
  • 0
    Thanks, Rob, for posting the solution.  This is another reminder that one should (almost) never bind a definition to an interface.

    Cheers - Bob

    Please vote for this feature request: Warn about binding network definition to a specific interface