Problems accessing web site

Question

Hello 
 Our client is having lots of issues with their web based Line of Business application. It occurrs at multiple sites thorugh multiple Sophos devices. 
 It manifests as 'Cannot reach this page' errors in IE and various site specific errors. 
 An example of a dropped packet is: 
 2019-12-04 16:56:19 010202130 IP 192.168.13.66.50879 > xxx.xxx.xxx.xxx.443 : proto TCP: F 3536931129:3536931129(0) win 1023 checksum : 16508 0x0000: 4500 0028 7538 4000 8006 f338 c0a8 0d42 E..(u8@....8...B 0x0010: 50fd 7377 c6bf 01bb d2d1 4939 0cdf e794 P.sw......I9.... 0x0020: 5011 03ff 407c 0000 0000 0000 0000 P...@|........ Date=2019-12-04 Time=16:56:19 log_id=010202130 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=aa:bb:cc:dd:ee:ff dest_mac=00:11:22:33:44:55 l3_protocol=IP source_ip=192.168.13.66 dest_ip=xxx.xxx.xxx.xxx l4_protocol=TCP source_port=50879 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A 
 I've found [UNREPLIED] entries in conntrack, but I'm struggling to determine if that means that the web server isn't replying, or the Sophos isn't replying to the Web Server. 
 I feel that this might be an issue with the website, but they claim that it cannot be. I've edited TCP timeouts and stripped rules back to the minimum. The devices are running various firmware (17.5.8 MR-8 on the head office device). 
 I think my primary question at this point is Why would an outbound connection be denied/Invalid Traffic? 
 Thanks

LuCar Toni · Accepted Answer

Your Dropped packet is a Finish packet. 
 https://www.geeksforgeeks.org/tcp-flags/ 
 Basically the client decide "nope i dont want to talk to this website". 
 
 My first guess would be: There is something broken in the application of this server, so the client drops the connection. 
 Basically you know the IP of the webserver. 
 Try: 
 tcpdump -ni any host IPWebsite 
 Open the Website and verify, who is causing this. 
 
 XG is logging those Finish packets because they are "duplicates". Some clients / browser / apps sends multiple finish packets at once (just to be sure). XG uses the first finish to close the conntrack and drops all other, because there is no valid conntrack anymore (Invalid Traffic).

lferrara · Answer

Check that you are public IP is not blacklisted or some additional IP checklist is implemented on the website side. 
 The command works in the reverse order. From advanced shell you can move to console by typing: cish 
 From the console you can type exit and you will return to advanced shell (only if you were connected from advanced shell, otherwise you will exit from the console and return to the XG menu). 
 Regards