new XG installs are causing ScreenConnect 'last connected' timer resets even though NO security services are enabled.

I have now set up two firewalls for two different clients who also use our screenconnect software on their machines for us to remotely connect for repair, diagnostics, etc. The screenconnect software on the client machine will regularly poll back to the screenconnect server (located in my office) to let the server know that it is available and online. This shows as a 'time connected' counter in the screenconnect dashboard. This has always been very stable, and has not been blocked or otherwise interfered with by any other firewall or security appliance. All clients that do not have sophos firewalls do not exhibit this behavior. However, the two XG (115 and 210) firewalls that I have installed in the last two days are causing that counter to reset every 5 minutes (I can see the activity in the screenconnect logs). Both firewalls are in gateway mode, directly connected to the ISP and have NO security services enabled yet. No AV, no IPS, No web filter...nothing. Just the default rule in the firewall that is put in place during the initial configuration wizard.

FYI, the client is set to relay out to the screenconnect server on port 80 and 443, so I don't understand why that would get reset every 5 minutes.

  • Paul,

    please upload some firewall logs and web filtering logs for the IP that are experiencing the issue.

    Thanks

  • In reply to lferrara:

    There is no filtering log available, filtering is not on and it is blank. A screenshot of the firewall log is below. This is the best I can do tonight, there is no obvious way to export the firewall log in an excel file or txt or anything simple. Anyway, it looks like every time the screenconnect client calls out to my server on port 443, I can go look at the server and the time connected has been reset. It coincides almost perfectly...each time it calls out, the time is reset again. Since the client phones home every 5 minutes...it's reset every 5 minutes. The sophos must be re-writing something in the packet to make the server think that it is different in some important way?

    I filtered for only traffic going out to my server...the other traffic on 8080 etc is for another system.

  • Same issue here. Every 5 minutes, a connection reset.

    Sophos XG105w / Firmware: SFOS 16.01.1

    ScreenConnect client version: 6.0.11622.6115

    I use ScreenConnect (SC) cloud account.  I contacted SC support - there are no default SC schedules running every 5 minutes.  There is a 1 minute "check-in" and a 20 minute "update guest info"

    While in a session, that sessions does not "reset" - all others do.

    No extra software running on remote computer.

    SC Timeline looks like this

    Firewall logs:

    Default LAN2WAN rule:

     

     

  • In reply to Sam Segura:

    Sounds like a potential TCP/UDP Timeout. Have you tried modifying this value via the Console and the advanced-firewall Comandset?

  • In reply to Sam Segura:

    Glad to see (but also sorry to see!) that someone else is having this issue. Hopefully someone in the know will take a closer look at this!

  • In reply to Sam Segura:

    Checked Intrusion Prevention: 0 blocked traffic

    To be sure, disabled any DOS prevention, unchecked all apply flags:

    Same result, 5 minute resets (time-outs).

  • Hi Paul,

    Check #1 in my guide here. Capture drops on the destination/ source IP and port. If you do not see any drops, take a pcap and verify who generates the RESET packet.

    Thanks

  • In reply to Sam Segura:

    Upgraded to latest firmware.  SFOS 16.01.2

    No improvement

  • In reply to sachingurung:

    console> drop-packet-capture 'host 192.168.1.249'
    [See packet capture below]

    from the GUI

     Any help interpreting this would be appreciated

  • In reply to Sam Segura:

    Hi Sam,

    These are general UDP drops on port 137 for Net Bios traffic. Can you describe to me how screen connect works. Is there any destination IP address on which we can capture dumps? I hope the screen connect clients are not used to connect to an internal system instead of a system connected on WAN.

    Thanks

  • In reply to sachingurung:

    Thanks for replying back.

    ScreenConnect (cloud version, aka SC) is a hosted service that I use for remote management of machines.  I've traced my assigned SC server back to Amazon AWS servers.  The only logs available to me only show disconnects/connects - very basic.  I've spoken with SC tech support, no capture logs available

     I'm hoping I used the correct BPF expression for the packet capture.  I capture a simple internal server, just Dropbox running, nothing else.

    In the GUI:

    host 192.168.1.249

    In the CLI above

    drop-packet-capture 'host 192.168.1.249'

     

    Snip from Audit log from my SC server (times are in GMT)

    1/6/2017 4:15:09 PM    - IA-S03 (DropBox 249)    Event: Connected, Process: Guest, Participant: , Address: 24.240.246.42, Data:
    1/6/2017 4:15:09 PM    - IA-S03 (DropBox 249)    Event: Disconnected, Process: Guest, Participant: , Address: 24.240.246.42, Data:
    1/6/2017 4:10:09 PM    - IA-S03 (DropBox 249)    Event: Connected, Process: Guest, Participant: , Address: 24.240.246.42, Data:
    1/6/2017 4:10:09 PM    - IA-S03 (DropBox 249)    Event: Disconnected, Process: Guest, Participant: , Address: 24.240.246.42, Data:

     

    24.240.246.42 is the outside interface of the Sophos XG105w

  • In reply to Sam Segura:

    PACKET CAPTURE

    2017-01-06 10:35:01 0103021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42289
    0x0000:  4500 00f7 31e9 0000 8011 82c4 c0a8 01f9  E...1...........
    0x0010:  c0a8 01ff 008a 008a 00e3 a531 1102 9f8c  ...........1....
    0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
    0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
    0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
    0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
    0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
    0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
    0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
    0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
    0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
    0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
    0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
    0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
    0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
    0x00f0:  7365 7276 6572 00                        server.
    Date=2017-01-06 Time=10:35:01 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2366021952 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:47:02 0101021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42288
    0x0000:  4500 00f7 38a0 0000 8011 7c0d c0a8 01f9  E...8.....|.....
    0x0010:  c0a8 01ff 008a 008a 00e3 a530 1102 9f8d  ...........0....
    0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
    0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
    0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
    0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
    0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
    0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
    0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
    0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
    0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
    0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
    0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
    0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
    0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
    0x00f0:  7365 7276 6572 00                        server.
    Date=2017-01-06 Time=10:47:02 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=4108148736 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:47:02 0103021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42288
    0x0000:  4500 00f7 38a0 0000 8011 7c0d c0a8 01f9  E...8.....|.....
    0x0010:  c0a8 01ff 008a 008a 00e3 a530 1102 9f8d  ...........0....
    0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
    0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
    0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
    0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
    0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
    0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
    0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
    0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
    0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
    0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
    0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
    0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
    0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
    0x00f0:  7365 7276 6572 00                        server.
    Date=2017-01-06 Time=10:47:02 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=4108148736 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:50:08 0101021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
    0x0000:  4500 004e 38a2 0000 8011 7cb4 c0a8 01f9  E..N8.....|.....
    0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
    0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
    0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
    0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
    Date=2017-01-06 Time=10:50:08 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439710592 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:50:08 0103021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
    0x0000:  4500 004e 38a2 0000 8011 7cb4 c0a8 01f9  E..N8.....|.....
    0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
    0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
    0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
    0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
    Date=2017-01-06 Time=10:50:08 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439710592 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:50:08 0101021 IP 192.168.1.249.64623 > 224.0.0.252.5355 : proto UDP: packet len: 32 checksum : 47231
    0x0000:  4500 0034 04ca 0000 0111 1152 c0a8 01f9  E..4.......R....
    0x0010:  e000 00fc fc6f 14eb 0020 b87f 3406 0000  .....o......4...
    0x0020:  0001 0000 0000 0000 0669 7361 7461 7000  .........isatap.
    0x0030:  0001 0001                                ....
    Date=2017-01-06 Time=10:50:08 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=01:00:5e:00:00:fc l3_protocol=IP source_ip=192.168.1.249 dest_ip=224.0.0.252 l4_protocol=UDP source_port=64623 dest_port=5355 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439710592 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:50:08 0101021 IP 192.168.1.249.64623 > 224.0.0.252.5355 : proto UDP: packet len: 32 checksum : 47231
    0x0000:  4500 0034 04cb 0000 0111 1151 c0a8 01f9  E..4.......Q....
    0x0010:  e000 00fc fc6f 14eb 0020 b87f 3406 0000  .....o......4...
    0x0020:  0001 0000 0000 0000 0669 7361 7461 7000  .........isatap.
    0x0030:  0001 0001                                ....
    Date=2017-01-06 Time=10:50:08 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=01:00:5e:00:00:fc l3_protocol=IP source_ip=192.168.1.249 dest_ip=224.0.0.252 l4_protocol=UDP source_port=64623 dest_port=5355 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439711232 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:50:08 0101021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
    0x0000:  4500 004e 38a3 0000 8011 7cb3 c0a8 01f9  E..N8.....|.....
    0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
    0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
    0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
    0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
    Date=2017-01-06 Time=10:50:08 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439711552 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:50:08 0103021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
    0x0000:  4500 004e 38a3 0000 8011 7cb3 c0a8 01f9  E..N8.....|.....
    0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
    0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
    0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
    0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
    Date=2017-01-06 Time=10:50:08 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439711552 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:50:09 0101021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
    0x0000:  4500 004e 38a4 0000 8011 7cb2 c0a8 01f9  E..N8.....|.....
    0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
    0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
    0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
    0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
    Date=2017-01-06 Time=10:50:09 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=4095810688 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:50:09 0103021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
    0x0000:  4500 004e 38a4 0000 8011 7cb2 c0a8 01f9  E..N8.....|.....
    0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
    0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
    0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
    0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
    Date=2017-01-06 Time=10:50:09 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=4095810688 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:59:02 0101021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42286
    0x0000:  4500 00f7 3d38 0000 8011 7775 c0a8 01f9  E...=8....wu....
    0x0010:  c0a8 01ff 008a 008a 00e3 a52e 1102 9f8f  ................
    0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
    0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
    0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
    0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
    0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
    0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
    0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
    0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
    0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
    0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
    0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
    0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
    0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
    0x00f0:  7365 7276 6572 00                        server.
    Date=2017-01-06 Time=10:59:02 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=3039721024 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-01-06 10:59:02 0103021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42286
    0x0000:  4500 00f7 3d38 0000 8011 7775 c0a8 01f9  E...=8....wu....
    0x0010:  c0a8 01ff 008a 008a 00e3 a52e 1102 9f8f  ................
    0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
    0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
    0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
    0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
    0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
    0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
    0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
    0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
    0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
    0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
    0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
    0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
    0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
    0x00f0:  7365 7276 6572 00                        server.
    Date=2017-01-06 Time=10:59:02 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=3039721024 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
  • In reply to Sam Segura:

    Hi Sam,

    Try this, configure a plain FW-rule; all the filters set to NONE for a specific source IP address. LAN(192.168.1.249)> ANY> WAN.

    Do you discover any sort of disconnection on this source after this?

    Thanks

  • In reply to sachingurung:

    ScreenConnect continues to disconnect. 

    Forwarding rule placed on top:

    Source Zone: WAN  |  Allowed Client Networks: Any

    Destination Host/Network: 24.240.246.46  |  Forward Type: Everything

    Forwarded to, Protected Server (internal IP 192.168.1.249)

    Intrusion Prevention: None, Traffic Shaping: None  |  Synchronized Security: No Restriction  |  Minimum Destination HB Permitted: No Restriction

    Routing: Check ON: Rewrite source address (Masquerading)  |  Use Outbound Address (NAT policy using 24.240.246.46)  |  Check ON: Create Reflexive Rule

    ---------------------------------

    Test server on IP 192.168.1.249

    Correct public IP for outbound traffic detected (GRC Shields Up)

    GRC Sheilds Up report: