IOT access problem

Hi

I was wondering if anyone can help me with the issue I have.

I'm using Sophos XG on my homelab and previously I was on V17 and everything worked fine. Since I migrated to EAP V18, my IOT thermostat stopped communicating to cloud server. The firewall rule is on the top with allow all traffic with no filtering (as per V17 before) with relevant NAT rule linked (with MASQ source) but it doesn't communicate with right cloud Server (I can see some other IPs which it tries to reach on WAN interface, but not the one which should connect to).

My other rules and devices works fine it's only this one I have a problem with.

As I said before, same rule did work on previous firmware but it's not working properly on V18, I even did try to delete the rules and start from scratch but it didn't make any difference.

My rules are as print screen below. Can anyone point me to right direction, please or am I missing something?

  • Hi,

    change your NAT rule to any instead of the specific, your rule will cover where the device can go.

    Ian

  • In reply to rfcat_vk:

    Hi Ian

    Thank you for the suggestion. Do you mean unlink the NAT rule from Firewall (as source parameters are locked) and then change it to any?

     

    Marcin

     

  • In reply to Martinoz:

    I suppose you could just try creating a new NAT rule above it, but I’m not sure why that would make a difference unless there’s something broken with using NAT rules with MAC addresses. Your NAT rule seems fine.

    What kind of thermostat is it?

  • In reply to shred:

    It is BecaSmart Series 6000, which should communicate to cloud base server at bestbeca.cn. When i switch to my ISP router, it sync with the server straight away.

  • In reply to Martinoz:

    Do you have any SSL/TLS inspection rules setup?

    I’m sure you checked this already (or it’s static) but just to make sure, have you verified the local IP address for your thermostat is still the same?

    Do you have IPv6 configured by chance? If so, did you verify there’s a separate firewall rule for that?

    Is everything unchecked under content scanning in the firewall rule? Also, are all your policies set to “None” and not “Allow all”?

  • In reply to shred:

    Hi

    Yes I do have single SSL/TLS rule for one device only, but I disabled it with decryption off for troubleshooting and I don't use IPv6.

    I've checked IP address and it's correct one assigned to device and the rule.

    I cannot see anything in the logs to prove that the traffic is blocked. It almost looks like routing issue or as if it cannot reach the server (handshake communication interrupted).

  • In reply to Martinoz:

    Also, the policies are set to “None”

  • In reply to Martinoz:

    Hm, that is strange. The only thing I can think of would be:

    1. Create a firewall rule without a linked NAT.

    2. Create a NAT rule as mentioned before with ‘Any’ as the source (in addition to the destination) with the translated source for original source set to ‘MASQ’.

  • In reply to shred:

    Hi

    Set it up as advised, but no difference..

     

  • In reply to Martinoz:

    That’s really strange. Might be worth trying to delete that ‘BECA’ NAT rule you have. I realize it shouldn’t matter since you have the ‘All_NAT’ rule above but I just wonder if there’s something broken/weird with having a linked NAT rule. The only other thing I can think of is if you have Advanced Threat Protection enabled, checking those logs to see if for some odd reason it’s being blocked.

    Otherwise, I would try creating a new firewall rule with the source zone and network set to ‘Any’ to see if it works. If it does, start refining the rule (i.e. set just the desired zone first, check if it works then set the specific network/device).

  • In reply to shred:

    Hi Shred

    Thank you for the suggestions but I did try all of it (even disabled ATP, IPS and some other services) with generic rule All to All with no luck.

    There has to be something else blocked not shown in the logs..

  • In reply to Martinoz:

    Marinoz,

    please share a tcpdump for the host:

    https://community.sophos.com/kb/en-us/123567

    Regards

  • In reply to lferrara:

    Hi Luk

     

    This is TCPdump as requested

     

    22:43:53.504199 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:43:53.914328 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:43:54.718075 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:43:56.326835 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:43:58.997572 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:43:59.541689 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:00.345468 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:01.953223 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:05.562291 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:05.972592 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:06.776345 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:08.384327 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:11.609791 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:12.403870 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:14.011748 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:17.620787 Port3, IN: ARP, Request who-has 172.16.17.1 tell 172.16.17.5, length 46
    22:44:17.740183 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:17.740467 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:18.030589 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:18.030703 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:18.834621 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:18.834730 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:20.442539 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:20.442751 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:23.666353 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:44:24.462181 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:44:26.070146 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:44:26.738546 Port3, IN: IP 172.16.17.5.123 > 61.164.36.105.123: NTPv3, Client, length 48
    22:44:29.678800 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:29.678909 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:30.094003 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:30.094111 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:30.892658 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:30.892766 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:32.500673 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:32.500780 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:35.724450 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:44:36.520777 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:44:38.129000 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:44:41.743598 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:41.743708 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:42.152064 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:42.152230 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:42.954113 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:42.954263 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:44.563729 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:44.563834 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:47.784096 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:44:48.584333 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:44:50.193062 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:44:53.804506 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:53.804619 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:54.216503 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:54.216609 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:54.495431 Port3, IN: IP 172.16.17.5.123 > 61.164.36.105.123: NTPv3, Client, length 48
    22:44:55.020522 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:55.020697 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:56.626699 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:44:56.626799 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:44:59.846229 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:00.646585 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:02.254749 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:05.865191 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:05.865379 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:06.275307 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:06.275505 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:07.079379 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:07.079484 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:08.692118 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:08.692234 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:11.913979 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:12.710056 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:14.316675 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:17.941778 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:17.941918 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:18.336044 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:18.336120 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:19.139969 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:19.140077 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:20.748245 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:20.748355 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:22.260844 Port3, IN: IP 172.16.17.5.123 > 61.164.36.105.123: NTPv3, Client, length 48
    22:45:23.962983 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:24.772283 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:26.375351 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:29.984292 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:29.984434 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:30.428367 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:30.428554 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:31.197972 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:31.198082 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:32.807137 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:32.807247 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:36.031399 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:36.828208 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:38.435428 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:42.043233 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:42.043374 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:42.453064 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:42.453194 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:43.256920 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:43.257056 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:44.864681 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:44.864790 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:48.088606 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:48.884939 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:50.021997 Port3, IN: IP 172.16.17.5.123 > 61.164.36.105.123: NTPv3, Client, length 48
    22:45:50.493040 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:45:54.106053 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:54.106189 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:54.515573 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:54.515723 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:55.317634 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:55.317767 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:45:56.925794 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:45:56.925922 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:00.149638 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:00.949786 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:02.554010 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:06.154185 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:06.154331 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:06.574541 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:06.574677 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:07.379227 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:07.379345 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:08.989216 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:08.989369 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:12.213240 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:13.006473 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:14.614625 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:18.224520 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:18.224648 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:18.429511 Port3, IN: IP 172.16.17.5.123 > 61.164.36.105.123: NTPv3, Client, length 48
    22:46:18.634515 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:18.634664 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:19.438570 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:19.438704 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:21.046806 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:21.046929 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:24.271282 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:25.091274 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:26.675804 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:30.286628 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:30.286760 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:30.697236 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:30.697422 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:31.500851 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:31.500982 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:33.110964 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:33.111097 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:36.333845 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:37.130333 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:38.738785 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:42.362381 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:42.362492 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:42.790419 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:42.790529 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:43.566023 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:43.566136 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:45.172844 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:45.172957 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:46.320883 Port3, IN: IP 172.16.17.5.123 > 61.164.36.105.123: NTPv3, Client, length 48
    22:46:48.397828 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:49.194534 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:50.802574 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:46:54.402925 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:54.403075 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:54.823434 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:54.823565 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:55.627877 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:55.628031 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:46:57.236603 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:46:57.236731 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:00.462740 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:01.258254 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:02.866382 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:06.478072 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:06.478208 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:06.888174 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:06.888291 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:07.692859 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:07.693006 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:09.303068 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:09.303177 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:12.526729 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:13.323267 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:14.085055 Port3, IN: IP 172.16.17.5.123 > 61.164.36.105.123: NTPv3, Client, length 48
    22:47:14.934281 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:18.543852 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:18.543983 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:18.953723 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:18.953853 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:19.758145 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:19.758291 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:21.366737 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:21.366897 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:24.592342 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:25.389256 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:26.997987 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:30.603424 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:30.603573 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:31.020410 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:31.020537 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:31.825032 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:31.825152 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:33.433957 Port3, IN: IP 172.16.17.5.49152 > 172.16.17.1.53: 0+ A? bestbeca.cn. (29)
    22:47:33.434064 tun0, OUT: IP 172.16.17.1.53 > 172.16.17.5.49152: 0 1/0/0 A 59.110.30.249 (45)
    22:47:36.658830 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:37.455335 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)
    22:47:39.064150 Port3, IN: IP 172.16.17.5.49152 > 1.1.1.1.53: 0+ A? bestbeca.cn. (29)

  • In reply to Martinoz:

    Am I right thinking that it should use for OUT Port3 not tun0?

    Is that part of the problem?

  • In reply to Martinoz:

    I found it! Smile

     

    As the traffic was routing to tun0, I did review all VPN rules and I did have one unused site-to-site SSL VPN config, which I suspect the routing was trying to use to communicate instead of Port3 (although I'm not sure why). The moment I deleted unused VPN config, everything started working straight away.

    Thanks everyone for all of the suggestions!