Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 25 replies
  • Subscribers 1 subscriber
  • Views 31167 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.205][Bug] "web request blocked" with "Invalid argument"

ProKasro
We updated our ASG220 three days ago to Version 9.205-12. We have an internal web server (IIS 7 on Windows Server 2008 R2) that can be accessed from outside:

DNAT: Any -> HTTP -> EXTERNAL-ADDRESS
      Target translation: INTERNAL-ADDRESS
  
SNAT: INTERNAL-ADDRESS -> Any -> Any
      Source translation: EXTERNAL-ADDRESS

This worked very well until the last update. After this update we can not access the site with its external address from inside, we get following Errors:

2014:08:13-16:51:09 fw-prokasro-2 httpproxy[5833]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.100.148" dstip="176.94.29.131" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2520" request="0x1074ea38" url="daten.prokasro.de/.../support" exceptions="" error="Invalid argument" authtime="0" dnstime="7" cattime="19332" avscantime="0" fullreqtime="55199227" device="0" auth="0" category="105" reputation="neutral" categoryname="Business"

and after configuring some exceptions for the domain daten.prokasro.de:

2014:08:14-08:45:18 fw-prokasro-2 httpproxy[5833]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.100.148" dstip="176.94.29.131" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2520" request="0x15ef3278" url="daten.prokasro.de/.../support" exceptions="av,auth,content,url,mime,cache,fileextension,size" error="Invalid argument" authtime="0" dnstime="10" cattime="0" avscantime="0" fullreqtime="2424" device="0" auth="0"

From outside we have no problems.


Greetings,

Dr. Andre Carlos Morales-Bahnik
ProKASRO Mechatronik GmbH


This thread was automatically locked due to age.
  • 0
    Greetings, Andre, and welcome to the User BB!

    In fact, a DNAT never should have worked in the first place - see Accessing Internal or DMZ Webserver from Internal Network.  Maybe you were using the DNS approach before?

    At first glance, I suspect that your NAT rules are different than you wrote above.  Please attach a picture of them by clicking on [Go Advanced] below.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi,

    we've also updated to 9.205 yesterday morning and facing the same problem trying to access internal webserver at DMZ by http when WebProtection is used.

    ------------------------
    An error occurred while handling your request

    While trying to retrieve the URL:http://aaa.bbb.ccc/
    The content could not be delivered due to the following condition: Invalid argument
    -------------------------
    Accessing webservers by https at DMZ works fine.

    Anyone solved this problem right now?

    Regards
    Tobias
  • 0
    I would like to confirm this. Just after the update. However stopped/started the Web Protection and I managed to get to the internal resources, on non-standard ports in my case though.
  • 0
    Hello Bob,

    our DNAT and SNAT rules:





    It worked for many years, until we updated to 9.205

    Greetings,

    Dr. Andre Carlos Morales-Bahnik
    ProKASRO Mechatronik GmbH
  • 0
    Hi guys,
    I can confirm this bug already on 2 customer systems. Seems the Web Protection got hardened somehow[;)]
    Maybe it's connected to the KIL- entry which mentions the Content-Type restrictions (wild guessing).
    Still waiting for confirmation by UTM-Support since 4 Days.
  • 0 in reply to FLCoke
    Same problem here after the update 9.205-12

    2014:08:19-11:59:15 SPS httpproxy[5336]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2.36.10.54" dstip="2.36.10.3" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2609" request="0xa0c75408" url="aaa.bbb.cc/" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension" error="Invalid argument" authtime="0" dnstime="10" cattime="0" avscantime="0" fullreqtime="3302" device="0" auth="0" 

    Hope to find a solution soon..
  • 0
    First, try #1 in Rulz.  If there's no hint from those, what happens if you disable/enable Web Filtering?  If that doesn't work, what happens if you reboot?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    First, try #1 in Rulz.  If there's no hint from those, what happens if you disable/enable Web Filtering?  If that doesn't work, what happens if you reboot?

    Cheers - Bob


    Thanks for the Tip *fg* 

    Did you try unblessing, then re-blessing it? » Blous

    If i reboot (btw. are you joking?) my system restarts [and the slave node becomes the master node].

    This erroneous behaviour occurred first right after the update 9.205.

    regards
    Sgt. Pepsi
  • 0
    In HA, you will want to wait until sync has completed and both nodes are "ACTIVE" before rebooting the new Master to complete this experiment.  A fraction of a percent of UTMs need a second reboot after some Up2Dates.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I see the same problem == in this case, the sites are behind the WAF on the UTM, and the internal client, going through standard proxy, to those sites, receives the same error message.  Nothing is logged in the WAF logs, so it's not even getting to WAF... the proxy has some sort of new bug, was not an issue with identical configuration on UTM 9.1xx.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Unfiltered HTML