Sophos UTM - Packets dropped, without Reason

Question

Hello, 
 the situation is, i have a mail gateway and forward mails trough the sophos utm to my internal mailserver. 
 I've enabled DNAT to the internal Server. The Mailgateway (MailCleaner) communicates from the Internet with the internal Mailserver without Problems (Allowed port 25 to Internal Mailserver). 
 But when i open the Firewall Tab, there are always blocked SMTP packets. 
 The Firewall log shows the following output when i try the Adress Verification via SMTP:

10:31:06 
 Packet filter rule #6 
 TCP

62.11x.xx.115 
 : 
 48445

&rarr;

192.168.xx.xx 
 : 
 25

[SYN] 
 len=60 
 ttl=48 
 tos=0x00 
 srcmac=00:01:5c:xx:xx:xx 
 dstmac=00:0c:xx:xx:xx:xx

10:31:06 
 
 TCP

62.11x.xx.115 
 : 
 48445

&rarr;

62.xx.xx.xx 
 : 
 25

[RST] 
 len=40 
 ttl=49 
 tos=0x00 
 srcmac=00:01:5c:xx:xx:xx 
 dstmac=00:0c:xx:xx:xx:xx

10:31:06 
 
 TCP

62.11x.xx.115 
 : 
 48445

&rarr;

62.xx.xx.xx 
 : 
 25

[RST] 
 len=40 
 ttl=49 
 tos=0x00 
 srcmac=00:01:5c:xx:xx:xx 
 dstmac=00:0c:xx:xx:xx:x

I also have tried to fix it with a new firewall rule: 62.11x.xxx.115:1-65535 -> SMTP -> 62.xx.xx.xx but i receive the same error scheme. 
 
 Could somebody explain or help me to fix that, my Mailgateway is always on first position in my Firewalls blocked paket list!

LuCar Toni · Accepted Answer

Those packets are RST Packets. Means RESET. https://stackoverflow.com/questions/7735618/tcp-rst-packet-details 
 Basically UTM only logs, that this packet is dropped. 
 (Most likely you have following Option enabled: Network Protection > Firewall > Advanced : 
 Block invalid packets: If enabled, the firewall will check the data packets for conntrack entries. The conntrack entries will be generated by sending connection initializing packets, for example, TCP SYN or ICMP echo requests. If someone tries to send a packet which does not match to an existing connection, for example, TCP ACK or ICMP echo reply and Sophos UTM cannot find a matching TCP SYN or ICMP echo request via the conntrack entry the data packet is invalid and will be dropped. A record will be written to the firewall log.) 
 
 There is an issue in the communication. 
 You need to dump the connection. Those RST Pakets are basically useless for the communication and will be dropped.

Jaydeep · Answer

Hi Rene Hofmann 
 These RST packets are being dropped because the connection tracker is no longer tracking the connection. It has no idea where to send the packet and, were the server to receive the packet, it likely would have no idea what to do with the packet. I would also suggest you to check the sequence number of the packets in order to see if there are any re-transmitted packets. 
 You may also refer this KBA Sophos UTM: Firewall log shows dropped packets with tcpflags="ACK RST" or "ACK FIN" Hope this helps.

Rene Hofmann · Answer

No it's not an issue. I just wanted to know if i can disable the logging for those RST Pakets for my Mailgateway. 
 The RST Pakets only occur if someone tries to send to a non existing E-Mail address (Mailgateway asks internal Mailserver for the Adress, if it's not existent you will receive a message containing: 550 Callout verification failed: 550 5.1.1 <asd@xxx.xx>: Recipient address rejected: User unknown in virtual mailbox table) 
 I don't know why the Session is not closed with a FIN Paket. - And i don't want to debug the network traffic, the server logs are okay. 
 Anyway it's not a big deal, it's only my personal domain with some Mailboxes, it's possible for me to manage them seperatly on the MGW and Mailserver. 
 
 Without smtp callout the Firewall Top Dropped Destination Services/Hosts won't look like this anymore:

Thank you for your help!

Sophos UTM - Packets dropped, without Reason

Top Replies