Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 2405 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM denying return traffic from RDS/HCSS cloud provider

Timothy Stephens

My UTM 9 is allowing my end users access to RDS/HCSS Cloud Provider service. It's virtual desktop session that my end users use. Simliar to Citrix. The conversation occurs over tcp/443. I've noticed through exported logs (pcaps), that the conversation is also over udp/3391. 

Peroidically, the firewall will drop the return traffic with a "60001" error code. But, only for the udp/3391 traffic. Example, if the provider address was 1.1.1.1 and my primary WAN ip is 2.2.2.2, the traffic flow would look something like this src: 1.1.1.1:3391 dst:2.2.2.2:56434. 

The odd part is it's not consistent. I see two-way traffic within my pcaps between the WAN IP and the provider. For both tcp/443 and udp/3391. So, that tells me my DNATs/SNATs/MSQs and associated rules are all correct. When I do see the denies, it's precisely at the time when my end users complain about their RDP sessions freezing up. 

Thoughts from the group? 

Could this be something with SNORT/IPS on the firewall? Or something more on the provider side?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Timothy and welcome to the UTM Community!

    What do you learn from doing #1 in Rulz (last updated 2019-04-17)?

    If you still need help, show us a related line from the log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob, 

     

    Thanks for the reply. I checked the UDP flooding, and it wasn't enabled. hHat didn't fix the problem.

    Here is one of the logs: 

    2020:05:06-05:45:08 fw-01 ulogd[26891]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth4" srcmac="02:02:33:40:53:95" dstmac="00:1a:8c:51:42:7e" srcip="y.y.y.y" dstip="x.x.x.x" proto="17" length="105" tos="0x00" prec="0x00" ttl="118" srcport="3391" dstport="56332"

     

    When these denies appear in my firewall logs, my end users are complaining about disruptions to their remote desktop session to the cloud provided. 

     

    I do not have a DNAT with this dynamic ports allowed. Could that be my issue? 

  • 0 in reply to Timothy Stephens

    This is just a guess, Timothy - I wonder if your ISP or the RDS/HCSS cloud provider is having overload problems.

    I say that because this kind of thing is usually caused by the connection tracker thinking that a conversation has ended.  The normal value is 30, but try the following as root at the command line:

    cc set packetfilter timeouts ip_conntrack_udp_timeout 150

    If you aren't comfortable doing that, you could get a ticket opened with Sophos Support and they could try that for you.

    Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    That makes sense, when running wireshark locally, I'm seeing successful two-way traffic similar to the traffic I provided above. The cloud provider app is essentially using dtls to communicate (udp/3391).

    But, I'm seeing these same errors today (Sunday). The assumption is if it's a capacity issue, the volume of traffic for the cloud provider and ISP is significantly lower over the weekend than what it would be during a work week. Yes, the errors are less frequent today and yesterday than what they were on Friday. 

     

    I will give it a try. 

    naturally, It's hard to replicate the problem to see if it works right away ;) 

     

    Thanks Bob

  • 0 in reply to Timothy Stephens

    That didn't seem to work. I'll leave the timeout value to 150 seconds for now. 

    I updated the inbound rule to include the ephermeral ports (49152:65535) for the destination port. 

    The rule is exclusive to the provider's public IP (never changes). 

    Lowers the posture of the firewall, and this will be temp, but I need to know if this is the issue. 

Reply
  • 0 in reply to Timothy Stephens

    That didn't seem to work. I'll leave the timeout value to 150 seconds for now. 

    I updated the inbound rule to include the ephermeral ports (49152:65535) for the destination port. 

    The rule is exclusive to the provider's public IP (never changes). 

    Lowers the posture of the firewall, and this will be temp, but I need to know if this is the issue. 

Children
  • 0 in reply to Timothy Stephens

    If that change in the inbound rule fixes this, I'm really confused.  Please get a case open with Sophos Support and see what they have to say about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML