Hi, we have two Sophos FWs. Both on newest 9.1. Pattern are up to date. Only Network Security.
One appliance and one virtual machine (VM) on an ESXi Server.
They are located in different Locations. There is no VPN between these two.
The appliance has only one uplink and the VM has multiple uplinks.
There are Servers behind the appliance that access the server behind the VM.
On the appliance there are masquerading rules configured for the internal server behind the appliance.
On the VM there are DNAT rules configured for http(s) to some internal servers behind the VM.
So far for the setup.
The problem first occured between September 13th - 14th.
I can see a lot of default drops in the firewall log on the VM.
These are all FIN, ACK.
There are only drops for FIN but none for SYN. The connection even works but...
there is one strange thing though.
The FIN, ACK drops are all sourced from the internal IP Address from the server behind our appliance.
How can this happen?
Example:
Internal Server (10.0.0.10) -->
Appliance (Masq 10.0.0.10 to 111.111.111.111) -->
VM (DNAT 113.113.113.113:443 --> 10.1.1.10:443) -->
internal Server (10.1.1.10)
On the VM log the drops look like this.
drop 10.0.0.10 --> 10.1.1.10 proto 6 FIN,ACK
Shouldn't this be.
drop 111.111.111.111 --> 113.113.113.113 proto 6 FIN, ACK
How can there be the internal address of my internal server?
I connected to a different external server from the server behind the appliance and captured the packets with wireshark. There ist no internal IP in these packets. So where do these come from?
This thread was automatically locked due to age.
