Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 9437 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS Traffic Dropped

MichaelHess

My UTM install has been running for a little over 3 years. It is currently on Firmware version 9.405-5 and Pattern version 106631. With the last update, it started blocking YouTube and many of the Google apps, like Drive. Logging into Gmail became problematic also. I have not made any changes to the config for several months before this began. 

This is my first post. So, I apologize if I have omitted any needed info. Please let me know what else is needed and I will gladly post it.

Here is an excerpt of the live log of firewall traffic.

Live Log: Firewall
Filter:
Autoscroll
Reload
10:41:18 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:18 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:18 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:19 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:21 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:23 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:25 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:25 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:25 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:25 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:27 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:28 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:28 Default DROP UDP  
203.192.151.103 : 64281
216.58.218.14 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:28 Default DROP UDP  
203.192.151.103 : 64281
216.58.218.14 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:28 Default DROP UDP  
203.192.151.103 : 53152
216.58.218.13 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:28 Default DROP UDP  
203.192.151.103 : 64281
216.58.218.14 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:28 Default DROP UDP  
203.192.151.103 : 53152
216.58.218.13 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:28 Default DROP TCP  
216.58.218.14 : 443
96.37.242.30 : 62634
 
[ACK FIN] len=52 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:29 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:29 Default DROP UDP  
203.192.151.103 : 53152
216.58.218.13 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:30 Default DROP UDP  
203.192.151.103 : 64281
216.58.218.14 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:30 Default DROP UDP  
203.192.151.103 : 53152
216.58.218.13 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:31 Default DROP UDP  
203.192.151.103 : 64281
216.58.218.14 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:31 Default DROP UDP  
203.192.151.103 : 53152
216.58.218.13 : 443
 
len=1378 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:32 Default DROP UDP  
203.192.151.103 : 64281
216.58.218.14 : 443
 
len=98 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:32 Default DROP UDP  
203.192.151.103 : 53152
216.58.218.13 : 443
 
len=98 ttl=127 tos=0x00 srcmac=44:8a:5b:9a:76:8c dstmac=00:50:56:03:02:0a
10:41:34 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:44 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:44 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:44 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:44 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:46 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b
10:41:48 Default DROP ICMP  
216.58.218.14    
96.37.242.30    
 
len=576 ttl=54 tos=0x00 srcmac=00:01:5c:65:da:46 dstmac=00:50:56:03:02:0b

What do I need to change to fix this? Thanks, in advance, for your help.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Michael,

    Did you configure UDP 443 to drop through a firewall rule or any Anti-DoS configurations for UDP packets ?

    HTTP log- do not show any traffic drops.

    Also, try restarting httpproxy, take SSH to UTM and login as root, execute: /var/mdw/scripts/httpproxy restart

    Thanks

  • 0 in reply to sachingurung

    On the firewall, I have only added rules to allow traffic to pass (on specific ports, to specific sites), no rules to drop traffic.

    On the Anti-DOS/Flooding and Anti-Portscan, All are enabled, I have not changed the Attack Patterns at all.

    Their settings are:

    TCP Mode: Source and Destination Address

    TCP Logging: Limited

    TCP Source Rate: 100

    TCP Dest Rate: 200

    UDP Mode: Source and Destination Address

    UDP Logging: Limited

    UDP Source Rate: 200

    UDP Dest Rate: 300

    ICMP Mode: Source and Destination Address

    IMCP Logging: Limited

    IMCP Source Rate: 10

    IMCP Dest Rate: 20

    Anti-Portscan Action: Drop Traffic,

    Anti-Portscan Limit Logging enabled

    I just did the httpproxy restart you listed. Youtube now works!  I will test it for a day or two, and then if it is still working, I will mark this issue as resolved. The reason I want to wait is that it would occasionally work for short periods of time (an hour or two) while I was having this issue. Thank you for your help.

  • 0 in reply to MichaelHess

    Well, that did not last long. I just closed my browser (Chrome) and reopened it a few minutes later, and tried Youtube, and this again:

    This site can’t be reached

    The connection was reset.

    Try:

    ERR_CONNECTION_RESET
Reply Children
  • 0 in reply to MichaelHess

    I have also been running the Sophos UTM 9 for the last 3 years or so and no issues.  However, after the latest firmware update, I am getting really really weird packet drops from the firewall.  For example, I cannot connect to hangouts.google.com at all through the Sophos anymore and many other legitimate sites.  When I use a private VPN service or bypass the Sophos, there are no problems at all accessing sites.  There has been no configuration changes on my end other than applying firmware update.    

    For example, here is when I am trying to access Google Hangouts and its showing DNS requests being dropped...Huh?  Ive removed all Firewall rules accepted for Internal Network Any for Any Service to Any Destination..

    2016:08:14-11:24:29 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="6" length="52" tos="0x00" prec="0x00" ttl="53" srcport="80" dstport="50583" tcpflags="ACK FIN"
    2016:08:14-11:24:39 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="6" length="52" tos="0x00" prec="0x00" ttl="53" srcport="80" dstport="50583" tcpflags="ACK FIN"
    2016:08:14-11:24:49 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="6" length="52" tos="0x00" prec="0x00" ttl="53" srcport="80" dstport="50583" tcpflags="ACK FIN"
    2016:08:14-11:24:53 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="14.176.196.4" dstip="XX.XX.XXX.XX" proto="6" length="44" tos="0x00" prec="0x00" ttl="43" srcport="56458" dstport="23" tcpflags="SYN"
    2016:08:14-11:25:35 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="6" length="52" tos="0x00" prec="0x00" ttl="53" srcport="443" dstport="50599" tcpflags="ACK FIN"
    2016:08:14-11:25:51 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="105.157.138.161" dstip="XX.XX.XXX.XX" proto="6" length="44" tos="0x00" prec="0x00" ttl="42" srcport="36007" dstport="23" tcpflags="SYN"
    2016:08:14-11:25:55 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="218.22.115.165" dstip="XX.XX.XXX.XX" proto="6" length="40" tos="0x00" prec="0x00" ttl="97" srcport="6000" dstport="1433" tcpflags="SYN"
    2016:08:14-11:27:01 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="1" length="576" tos="0x00" prec="0x00" ttl="53" type="11" code="1"
    2016:08:14-11:27:01 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="1" length="576" tos="0x00" prec="0x00" ttl="53" type="11" code="1"
    2016:08:14-11:27:01 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="1" length="576" tos="0x00" prec="0x00" ttl="53" type="11" code="1"
    2016:08:14-11:27:01 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="1" length="576" tos="0x00" prec="0x00" ttl="53" type="11" code="1"
    2016:08:14-11:27:01 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="1" length="576" tos="0x00" prec="0x00" ttl="53" type="11" code="1"
    2016:08:14-11:27:02 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="1" length="576" tos="0x00" prec="0x00" ttl="53" type="11" code="1"
    2016:08:14-11:27:03 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="1" length="576" tos="0x00" prec="0x00" ttl="53" type="11" code="1"
    2016:08:14-11:27:05 thor ulogd[4536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:71:c4:46" dstmac="80:ee:73:83:6a:d8" srcip="216.58.216.78" dstip="XX.XX.XXX.XX" proto="1" length="576" tos="0x00" prec="0x00" ttl="53" type="11" code="1"