Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 2551 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG blocks its own NTP queries

RobLP
ASG has begun blocking its own queries to external NTP servers. ASG "System Settings", "Time and Date" settings are configured to use "pool.ntp.org" time servers. When I click "Test Configured Servers", 3 out of 4 return "failed" result and the one return indicates minutes of offset.
Have also tried configuring for "north-america.pool.ntp.org".

LOG EXTRACT (entries are contiguous):
20:21:14  Default DROP  UDP   :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:23:29  Default DROP  UDP   :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:23:45  Default DROP  UDP   :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:24:01  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:26:10  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:26:26  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:26:42  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:28:52  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

20:29:08  Default DROP  UDP    :123    173.201.38.85:123  len=76  ttl=64  tos=0x00  srcmac=

NTP function previously worked well (ie, 


This thread was automatically locked due to age.
Parents
  • 0
    Bob, thanks for your reply.
    The IPS log is empty, which is consistent with the dashboard showing "IPS: 0 attacks blocked". Meanwhile, the Packet Filter log continues recording default block port 123 messages as follows: 

    EXTRACT FROM FULL LOG (entries are contiguous):
    2010:09:18-00:01:56 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:02:12 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:02:28 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:04:40 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:04:56 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:05:12 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:07:24 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    As you apparently do, I suspect a faulty PF Rule 60003 update has caused this problem.
    If memory serves, rule 60003 cannot be disabled; but, I want it enabled in any case.

    Thanks again.
    Rob

    ASG 8.001, Pattern 20234
Reply
  • 0
    Bob, thanks for your reply.
    The IPS log is empty, which is consistent with the dashboard showing "IPS: 0 attacks blocked". Meanwhile, the Packet Filter log continues recording default block port 123 messages as follows: 

    EXTRACT FROM FULL LOG (entries are contiguous):
    2010:09:18-00:01:56 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:02:12 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:02:28 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:04:40 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:04:56 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:05:12 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    2010:09:18-00:07:24 simba ulogd[3993]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="0:18:f3:c7:91[:D]d" srcip="192.168.141.13" dstip="173.201.38.85" proto="17" length="76" tos="0x00" prec="0xc0" ttl="64" srcport="123" dstport="123" 

    As you apparently do, I suspect a faulty PF Rule 60003 update has caused this problem.
    If memory serves, rule 60003 cannot be disabled; but, I want it enabled in any case.

    Thanks again.
    Rob

    ASG 8.001, Pattern 20234
Children
No Data