Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 27430 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reset packages

vasileiosg

Hello,

 

I am running an application with persistent connections behind a UTM. I am having the issue that when a user disconnects from that application for some reason, the UTM does not send a reset package to the service.

 

Let me give you an example:

A user is VPN in using the UTM. The user is RDP to a server (server receives a SYN package from the UTM). The user disconnects the VPN (or the connection drops). The server still thinks that the user is still connected. Before when we had SonicWall, that wasn't an issue. The SonicWall was sending a RESET package to the server. Please note that the RDP is just an example.

 

Is there a way i could ask the UTM to send a reset package to the server?

 

Thanks!



This thread was automatically locked due to age.
  • 0

    Vasileios, does #1 in Rulz provide any insight?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

    this was very insightful! I made a bookmark of it!

     

    I am afraid it is not the case. I also asked Sophos Support but they haven't come back to me yet...

     

    In the meantime, look at this:

     

    Status: Enabled Firewall is active with 77 rules
    Status: Disabled Intrusion Prevention is inactive

    Status: Disabled Web Filtering is inactive
    Status: Disabled Network Visibility is inactive
    Status: Disabled SMTP Proxy is inactive
    Status: Disabled POP3 Proxy is inactive

    Status: Disabled RED is inactive
    Status: Disabled Wireless Protection is inactive
    Status: Enabled Endpoint Protection is active, Sophos LiveConnect is enabled, 0 endpoints, 0 threat alerts, 0 out-of-date alerts

    Status: Enabled Site-to-Site VPN is active with 5 of 6 tunnels
    Status: Enabled Remote Access is active with 2 online users

    Status: Disabled Web Application Firewall is inactive

    Status: Disabled Sophos UTM Manager is not configured
    Status: Disabled Sophos Mobile Control is inactive

    Status: Enabled HA/Cluster is active in mode HA with 2/2 nodes
    Status: Disabled Antivirus is inactive
    Status: Disabled Antispam is inactive
    Status: Disabled Antispyware is inactive

  • 0 in reply to vasileiosg

    I didn't read your original question closely enough the first time.  The UTM won't send anything to the Server.  The SYN packet came from the client and was relayed by the UTM. Or, are you talking about the HTML5 remote access service?

    What do you want to happen on the server after the remote user disconnects from the VPN without signing off the session open on the server?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi Vasileiosg,

    Does deleting the conntrack for the connected IP helps in the disconnection. I think the VPN session will be disconnected but, for some reason the RDP session maintains its conntrack with the UTM.

    Execute, conntrack -D -s x.x.x.x (system IP from the VPN pool)

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    This is close to what i am looking for but the specific will reset all connections, even the live active ones

  • 0 in reply to BAlfson

    Hi Bob,

     

    i just had a conversation with Sophos Support since this was for a real device under contract but they were not able to help me.

     

    The issue is: we have customers that initiate a TCP connection with a server. UTM is in between doing NATing or just FWing (depends on the type of connection we get). The customers do not disconnect the session for some specific amount of time (e.g. 2 hours).

    However, UTM does disconnect the session as it sees it dead. UTM does not inform either ends (the server or the user) that the connection has been disconnected. The user tries to create a new connection in, which then establishes a new connection with the server instead of continuing the previous one. The result is several connections from the same user. This is causing issues to the way our system works.

     

    What i really would like is a way to keep the connection alive for a specific NAT rule even if the connection is not active.

     

    In SonicWall that was possible:

    There should be a way also in UTM even if it doesn't have a GUI way of doing it.

  • 0 in reply to vasileiosg

    PM me the case# and I will take a look at it. I was pretty sure that the conntrack is never flushed for the RDP session on disconnection of the VPN session. I will try to get an update whether the provided support information is a behavior/bug in the UTM or it can be raised as a feature request.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to vasileiosg

    Try the following, Vasileios, as root at the command line:

    cc get packetfilter timeouts

    I don't think changing any of those will solve your problem.  I think this would be a feature request - Ideas, but this is the first I've heard of this issue here, so I wouldn't expect anything this year.

    Can you be more specific about your DNAT and the type of connection?  In your original post, you said it was via a Remote Access session on the UTM, so I'm not "seeing" what's happening or not.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hey Bob,

     

    you are absolutely right. It is not about RDP. I used this as an example and to mask the action due to customer usage. These are TCP connections where specific device connects to an HTTP connection but doesn't send data until much later. The systems at both ends know that and expect that. UTM doesn't and i guess doesn't expect it. As a result it closes the connection as dead. I will try to put it as a feature request but it will definitely cause issues if we can't have that.

  • 0 in reply to vasileiosg

    Hi Vasileiosg,

    As far as I understand the issue is related to the TIME_WAIT state in the packetfilter timeouts table. After the disconnection of the session, the UTM will wait for a specific time before flushing the connection completely; this is by default 120 seconds. Does changing anything here helps? Be sure to make a change consulting to the senior support engineer.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Unfiltered HTML