Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 60640 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help allowing Aruba RAP device traffic through the firewall

nyc2mia

Hello, experts,

I'm running UTM 9.405-5 at home, and it works like a charm.  I just got a work-from-home kit, but I can't seem to get the remote access point (Aruba Networks RAP-3WNP) to connect to my corporate network, while behind the Sophos UTM.  At first, I thought the RAP device might be messed up, so I unplugged the UTM and plugged the RAP device right into my cable modem.  Of course, the RAP device connected, allowed my Avaya phone to get an IP address, and started broadcasting an SSID that connects me to my corporate network.  After that test, I think it's fair to say that the problem is the UTM configuration.

I tried checking the Firewall Live Log, just to see what was being blocked, so that I could open it, but I don't see anything related to the RAP device, when it's booting; although, I clearly see activity on the device (and phone handset).  At first, I saw a lot of 60001 and 60003 fwrule entries.  After some research, I created two rules: one to allow all traffic from my network to the corporate controller's public IP, and another to allow all traffic from the corporate controller's public IP into my network.  I also created a DNAT rule to forward all traffic from the corporate controller's public IP to the RAP device and Log All Initial Packets.  After those initial changes, if I View Log or Search Log Files, I see only packet logged entries (i.e. nothing dropped), but the RAP device still doesn't work:

2016:09:07-09:20:32 utm ulogd[21205]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="76" tos="0x00" prec="0x20" ttl="55" srcport="43900" dstport="80" tcpflags="SYN"
2016:09:07-09:20:48 utm ulogd[21205]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="60" tos="0x00" prec="0x20" ttl="55" srcport="44466" dstport="80" tcpflags="SYN"
2016:09:07-09:22:03 utm ulogd[21205]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="60" tos="0x00" prec="0x20" ttl="55" srcport="48169" dstport="80" tcpflags="SYN"
2016:09:07-10:20:47 utm ulogd[25635]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="76" tos="0x00" prec="0x20" ttl="55" srcport="24745" dstport="80" tcpflags="SYN"
2016:09:07-11:21:42 utm ulogd[30013]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="76" tos="0x00" prec="0x20" ttl="55" srcport="45312" dstport="80" tcpflags="SYN"
2016:09:07-14:21:25 utm ulogd[10478]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="76" tos="0x00" prec="0x20" ttl="55" srcport="13718" dstport="80" tcpflags="SYN"
2016:09:07-14:21:28 utm ulogd[10478]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="60" tos="0x00" prec="0x20" ttl="55" srcport="13857" dstport="80" tcpflags="SYN"
2016:09:07-15:21:25 utm ulogd[14738]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="76" tos="0x00" prec="0x20" ttl="55" srcport="41634" dstport="80" tcpflags="SYN"
2016:09:07-15:21:49 utm ulogd[14738]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="60" tos="0x00" prec="0x20" ttl="55" srcport="42888" dstport="80" tcpflags="SYN"
2016:09:07-15:23:02 utm ulogd[14738]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="60" tos="0x00" prec="0x20" ttl="55" srcport="47078" dstport="80" tcpflags="SYN"
2016:09:07-16:21:59 utm ulogd[14738]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="76" tos="0x00" prec="0x20" ttl="55" srcport="27910" dstport="80" tcpflags="SYN"
2016:09:07-16:22:02 utm ulogd[14738]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="00:11:22:33:44:55" dstmac="66:77:88:99:aa:bb" srcip="11.22.33.44" dstip="55.66.77.88" proto="6" length="60" tos="0x00" prec="0x20" ttl="55" srcport="28016" dstport="80" tcpflags="SYN"

I think I'm getting close, because I no longer see any 60001 or 60003 entries, but I can't find any information on the 62005 rules, and - at the end of the day - I still don't have remote access to my corporate network.

I tried running a Wireshark session, looking for the local IP address, MAC and wireless MAC addresses of the RAP, on both my hardwired and wireless adapters, but I couldn't find anything helpful.

  1. Has anyone successfully gotten a RAP3 device to work behind the Sophos UTM?
    1. If so, what rules do I need to create?
    2. What does that 62005 fwrule mean?
  2. Can anyone provide ideas as to how I can find out what's going on between the RAP device, the UTM and the corporate controller?
    1. If I can see what's being blocked, it might help me figure out what to open up.

Any and all help would be much appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    62005 means that the log line was NAT rule #5.  The way you obfuscated the IPs makes it difficult to tell any more.  It's preferable to leave the first and last octet clear in a public IP and enough of the private IP clear to make it obvious that it's private, e.g. 192.168.x.11, 172.2x.y.21 and 10.x.y.31.

    I will suggest that you try #1 in Rulz.  My guess is that UDP Anti-DoS Flood protection is keeping the RAP3 from establishing an IPsec tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Amazing, Bob!  As directed, I followed #1 in Rulz, and - almost immediately - confirmed that IPS was detecting a UDP flood:

    2016:10:06-17:18:16 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
    2016:10:06-17:18:16 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
    2016:10:06-17:18:16 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
    2016:10:06-17:18:16 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
    2016:10:06-17:18:17 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
     
    I think this might be the solution, but I'll have to wait until we restore Production services, since we invoked our DR/BCP, due to Hurricane Matthew, and (of course) my remote access point is configured for the site we brought down.  Thanks a million, though!  I'll provide feedback and mark as "answer," once we bring up the site and I confirm total connectivity.
     
    Best regards,
    Edgar T.

    UTM 9 Home Use

Reply
  • 0 in reply to BAlfson

    Amazing, Bob!  As directed, I followed #1 in Rulz, and - almost immediately - confirmed that IPS was detecting a UDP flood:

    2016:10:06-17:18:16 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
    2016:10:06-17:18:16 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
    2016:10:06-17:18:16 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
    2016:10:06-17:18:16 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
    2016:10:06-17:18:17 utm ulogd[29350]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:01:xx:yy:zz:46" dstmac="00:13:xx:yy:zz:f1" srcip="67.x.y.196" dstip="73.x.y.171" proto="17" length="1408" tos="0x00" prec="0x20" ttl="244" srcport="4500" dstport="50107"
     
    I think this might be the solution, but I'll have to wait until we restore Production services, since we invoked our DR/BCP, due to Hurricane Matthew, and (of course) my remote access point is configured for the site we brought down.  Thanks a million, though!  I'll provide feedback and mark as "answer," once we bring up the site and I confirm total connectivity.
     
    Best regards,
    Edgar T.

    UTM 9 Home Use

Children
  • 0 in reply to nyc2mia

    Well, I'm afraid that the IPS exception didn't seem to help.  I'm certainly not seeing any entries in the IPS log, now, but I'm still unable to a) connect to the remote network, nor b) get dial tone on my IP phone.  On the off chance that there might be another subsystem blocking any additional traffic, I opened up EVERY SINGLE LOGFILE, and I plugged in the remote access point.  None of the logs showed any trace of the local IP address of the RAP device, MAC address of the RAP device, or public IP addresses of the remote/corporate VPN termination points.

    <Sigh>  I think I'm going to have to give up.  I'd post a piece of a logfile, if I could find anything pointing to the RAP device.  I find it extremely odd that I can't find any trace of the activity between the corporate VPN termination points and my network; clearly, there's some activity, because the phone is getting an IP address and showing the call server IP address.  Additionally, I can see the corporate SSID, which only happens if the RAP device successfully authenticates with the corporate network.

    I'm missing something, but I can't figure it out.  :(  If anyone has any other ideas, I'd love to hear them.  Heck, I'm even considering getting paid support, just to figure this one out.  How do I get paid support, should I decide to move forward?

    Best regards,

    Edgar T.

    UTM 9 Home Use

  • 0 in reply to nyc2mia

    Yeah, it looks like you're down to doing a packet capture.  It would be interesting to be able to look at a log from the RAP 3 or the device it's VPNing to.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi, Bob,

    I hate to say it, but I gave up. I couldn't get my Network or Telecom guys to figure the problem out, either, so I ended up returning both the RAP device and phone. I'm just using the soft phone.

    Regards,
    Edgar

    UTM 9 Home Use

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML