Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 8193 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NPR Podcasts won't download

ScottKoontz

Sophos UTM 9.403-4.  Download of NPR podcasts used to work, but began failing 10 days ago.  No changes on my side other than UTM maintenance patches, but I don't know if NPR made changes.  Trying to download NPR podcasts on Android devices and now receive an error that I am unable to reach npr.mc.tritondigital.com.  I added the site to a list of sites that bypass the proxy but that didn't resolve the issue.  Log below: 

5/31/16
8:17:34.000 PM
May 31 20:17:34 192.168.0.254 2016:05:31-20:17:39 castleblack ulogd[18401]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:30:18:a3:04:1a" srcip="54.225.143.212" dstip="192.168.0.126" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="33042" tcpflags="RST"
host = 192.168.0.254 source = udp:514 sourcetype = sophos:utm:firewall
5/31/16
8:17:15.000 PM
May 31 20:17:15 192.168.0.254 2016:05:31-20:17:20 castleblack ulogd[18401]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:30:18:a3:04:1a" srcip="31.13.93.3" dstip="192.168.0.126" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="44700" tcpflags="RST"
host = 192.168.0.254 source = udp:514 sourcetype = sophos:utm:firewall
5/31/16
8:17:04.000 PM
May 31 20:17:04 192.168.0.254 2016:05:31-20:17:09 castleblack ulogd[18401]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:30:18:a3:04:1a" srcip="216.58.209.14" dstip="192.168.0.126" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="46773" tcpflags="RST"
host = 192.168.0.254 source = udp:514 sourcetype = sophos:utm:firewall
5/31/16
8:17:03.000 PM
May 31 20:17:03 192.168.0.254 2016:05:31-20:17:08 castleblack httpproxy[5537]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.0.126" dstip="216.58.209.14" user="" group="" ad_domain="" statuscode="204" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa0785800" url="clients3.google.com/generate_204" referer="" error="" authtime="0" dnstime="1529" cattime="325" avscantime="0" fullreqtime="378343" device="0" auth="0" ua="Dalvik/2.1.0 (Linux; U; Android 5.1; XT1060 Build/LPAS23.12-39.7-1)" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" country="United States"
host = 192.168.0.254 source = udp:514 sourcetype = sophos:utm:firewall:utm:firewall



This thread was automatically locked due to age.
  • 0

    Hi Scott,

    The log shows client3.google.com is allowed through UTM. 

    May 31 20:17:03 192.168.0.254 2016:05:31-20:17:08 castleblack httpproxy[5537]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.0.126" dstip="216.58.209.14" user="" group="" ad_domain="" statuscode="204" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa0785800" url="clients3.google.com/generate_204" referer="" error="" authtime="0" dnstime="1529" cattime="325" avscantime="0" fullreqtime="378343" device="0" auth="0" ua="Dalvik/2.1.0 (Linux; U; Android 5.1; XT1060 Build/LPAS23.12-39.7-1)" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" country="United States"
    host = 192.168.0.254 source = udp:514 sourcetype = sophos:utm:firewall:utm:firewall

    Please post logs for the IP address lease on you mobile phone. Try command, tail -f *.log | grep x.x.x.x ( ipaddress).

    Alongside, why is TCP protocol dropped. Do you have any AntiDoS configured in UTM for TCP communications?

    May 31 20:17:34 192.168.0.254 2016:05:31-20:17:39 castleblack ulogd[18401]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:30:18:a3:04:1a" srcip="54.225.143.212" dstip="192.168.0.126" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="33042" tcpflags="RST" 
    host = 192.168.0.254 source = udp:514 sourcetype = sophos:utm:firewall

    Thanks

  • 0 in reply to sachingurung

    No AntiDOS.  192.168.0.126 was the phone.  You've confirmed that the log isn't telling us anything.  Here's a trace, maybe that will help.  Client is .55 this time.

  • 0 in reply to ScottKoontz

    Hi,

    SYN request is sent out on port 443 from IP 192.168.0.55 and RST packet is received from 195.46.39.1. What Web Protection mode is configured in UTM. If it is transparent mode, configure a transparent skip list for destination IP host. 

    Thanks

  • 0 in reply to sachingurung

    As it turned out, SafeDNS had flagged the site as a banner ad and was blocking it.  Whitelisting npr.mc.tritondigital.com in SafeDNS resolved the error.  It wasn't a UTM issue, which explains why the logs were inconclusive.