Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 18353 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Google playstore

newage
Unable to access google playstore from any android devices behind sophos.
playstore store shows "no connection Retry"
internet accessible.
IPS off
Web filtering on with HTTPS scanning enabled


when https scanning is disabled in profiles mode its loading without any issues
the firewall is configured in Active directory with transparent mode and browser authentication.


This thread was automatically locked due to age.
  • 0
    you have to.manually open the ports needed for google play, in firewall
  • 0
    Hi, please post the log entries from the http log (not the live log please).

    You may need to create an exception (transparent mode skiplist).

    Barry
  • 0
    2013:06:18-18:15:38 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="20:64:32:33:51:8c" dstmac="80:c1:6e:f6:a4:9d" srcip="192.168.1.147" dstip="74.125.141.188" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="50137" dstport="5228" tcpflags="SYN" 
    2013:06:18-18:15:41 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="20:64:32:33:51:8c" dstmac="80:c1:6e:f6:a4:9d" srcip="192.168.1.147" dstip="74.125.141.188" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="50137" dstport="5228" tcpflags="SYN" 
    2013:06:18-18:15:47 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="20:64:32:33:51:8c" dstmac="80:c1:6e:f6:a4:9d" srcip="192.168.1.147" dstip="74.125.141.188" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="50137" dstport="5228" tcpflags="SYN" 
    2013:06:18-18:15:59 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="20:64:32:33:51:8c" dstmac="80:c1:6e:f6:a4:9d" srcip="192.168.1.147" dstip="74.125.141.188" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="50137" dstport="5228" tcpflags="SYN" 
    2013:06:18-18:16:17 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:18:ba:3d:61:4" dstmac="c8[:D]3:a3:ac:fc:3e" srcip="216.252.125.64" dstip="182.72.193.87" proto="6" length="40" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="57504" tcpflags="RST" 
    2013:06:18-18:16:17 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:18:ba:3d:61:4" dstmac="c8[:D]3:a3:ac:fc:3e" srcip="98.138.47.199" dstip="182.72.193.87" proto="6" length="40" tos="0x08" prec="0x40" ttl="55" srcport="443" dstport="43711" tcpflags="RST"
    2013:06:18-18:38:09 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="0:13:80:40:cd:80" dstmac="c8[:D]3:a3:85[:D]:98" srcip="89.133.149.253" dstip="220.225.194.187" proto="6" length="48" tos="0x00" prec="0x00" ttl="112" srcport="3035" dstport="3389" tcpflags="SYN" 
    2013:06:18-18:38:30 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="68.142.240.33" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="39562" tcpflags="ACK FIN" 
    2013:06:18-18:38:30 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="98.139.73.24" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="43734" tcpflags="ACK FIN" 
    2013:06:18-18:38:30 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="68.142.240.33" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="39563" tcpflags="ACK FIN" 
    2013:06:18-18:38:37 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="98.139.73.24" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="43734" tcpflags="ACK PSH FIN" 
    2013:06:18-18:38:37 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="68.142.240.33" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="39563" tcpflags="ACK PSH FIN" 
    2013:06:18-18:38:37 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="68.142.240.33" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="39562" tcpflags="ACK PSH FIN" 
    2013:06:18-18:38:43 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:18:ba:3d:61:4" dstmac="c8[:D]3:a3:ac:fc:3e" srcip="216.99.152.168" dstip="182.72.193.87" proto="6" length="40" tos="0x00" prec="0x00" ttl="115" srcport="6000" dstport="1433" tcpflags="SYN" 
    2013:06:18-18:38:53 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="68.142.240.33" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="39562" tcpflags="ACK PSH FIN" 
    2013:06:18-18:38:53 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="68.142.240.33" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="39563" tcpflags="ACK PSH FIN" 
    2013:06:18-18:38:53 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="98.139.73.24" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="43734" tcpflags="ACK PSH FIN" 
    2013:06:18-18:39:24 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="98.139.73.24" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="43734" tcpflags="ACK PSH FIN" 
    2013:06:18-18:39:24 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="68.142.240.33" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="39562" tcpflags="ACK PSH FIN" 
    2013:06:18-18:39:24 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1229" app="553" srcmac="80:c1:6e:f6:a4:9d" srcip="68.142.240.33" dstip="192.168.1.147" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="39563" tcpflags="ACK PSH FIN" 
    2013:06:18-18:39:25 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:18:ba:3d:61:4" dstmac="c8[:D]3:a3:ac:fc:3e" srcip="198.27.74.132" dstip="182.72.193.87" proto="6" length="44" tos="0x00" prec="0x00" ttl="58" srcport="80" dstport="36510" tcpflags="ACK SYN"
  • 0
    There are only two lines that are interesting.

    2013:06:18-18:15:38 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="20:64:32:33:51:8c" dstmac="80:c1:6e:f6:a4:9d" srcip="192.168.1.147" dstip="74.125.141.188" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="50137" dstport="5228" tcpflags="SYN"

    60002 is the default drop rule for traffic passing through the firewall.  Apparently, you need to allow {1:65535->5228} for traffic from "Internal (Network)" to 74.125.141.188 or some subnet that includes that IP.

    2013:06:18-18:38:09 SMBfirewall ulogd[4379]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="0:13:80:40:cd:80" dstmac="c8[:D]3:a3:85[:D]:98" srcip="89.133.149.253" dstip="220.225.194.187" proto="6" length="48" tos="0x00" prec="0x00" ttl="112" srcport="3035" dstport="3389" tcpflags="SYN" 

    60001 is the default drop rule for traffic with a dstip on your UTM.  If you have a DNAT to allow remote RDP access to an internal device, then the destination in the traffic selector needs to be changed to the "External (Address)" object created by WebAdmin when the External interface was defined.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    i created a rule to allow port 5228 from internal port 1:65535 to destination any
    still no help
  • 0
    fixed it
    install the HTTPS CA in the android fone.
    Thanks for the help
  • 0
    "install the HTTPS CA in the android fone."

    what does that mean?

    HTTPS is secure HTTP
    CA is common abbreviation for Canada

    What did you do to make it work?
  • 0
    Hi,

    CA = Certificate Authority

    e.g. Either install the Cert or the CA Cert in the phone.

    Barry
  • 0 in reply to BarryG
    Oh, the certificate from the Astaro firewall? So...browse to the firewall administrator IP address and accept the certificate from Android's default browser?
  • 0 in reply to Freddino
    Well, that idea didn't work. How to save the cert as a file to send it to the Android device?
Unfiltered HTML