Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 6245 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid TCP State

Clawcity

In addition to our Sophos XG which is the default gateway (.254) we've got a router provided by one of our vendors on the network for their traffic only (.253).

We've created a static route to forward all traffic for their sites and applications back out the LAN interface to their router and there is a firewall rule allowing traffic originating from the LAN zone and destined for their network range in any zone.

They have several webservers and although I can access one of them the other is inaccessible. I can PING and tracert the IP successfully but cannot open the web page.

The firewall log keeps listing "Invalid Traffic" and Invalid TCP State".



This thread was automatically locked due to age.
Parents
  • 0

    Hi : Thank you for reaching out to the Sophos community team. Hope this is not the case of asymmetric routing where either request or reply traffic does not route via firewall which may create an invalid TCP state for such TCP connection when either of the traffic is traversing via firewall. If that is the case then probably adding an advance bypass firewall rule may avoid firewall rule and TCP state maintenance for mentioned source and destination network.

    console> set advanced-firewall bypass-stateful-firewall-config add source_network x.x.x.x source_netmask 255.255.255.0 dest_network y.y.y.y dest_netmask 255.255.255.0

    Note: To revert the changes del in place of add will be required. Also would suggest performing the changes safer side during odd hours or during proper downtime time. Please also take the latest backup with the backup password and SSMK before applying any change.

    Identify an asymmetric routing design condition

    https://support.sophos.com/support/s/article/KB-000038267?language=en_US

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    Thanks for your reply Vishal. I've remoted in to a computer onsite and am trying to access the CLI via SSH. I assume it uses the same username/password that I use to access the web console, but I'm getting access denied. I have checked that SSH is enabled on the LAN zone.

  • 0 in reply to Clawcity

    Hi ,

    Is there any Access Control policy configured under Administration > Device Access for SSH access? I'd suggest you filter logs with your source public IP address from Logviwer to see what happens with the SSH traffic when it hits the firewall. 

  • 0 in reply to Excommunicado

    I'm coming in through the LAN interface from a local computer and SSH access is enabled. Log viewer doesn't show anything.

  • 0 in reply to Clawcity

    Seems like the App does not want to be opened and closes the connection. Most likely you see this afterwards. Try to check with tcpdump if you see any reason for the drop. 

    Use Wireshark on a client, then open the website and check the HTTP Pakets. 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Clawcity

    Seems like the App does not want to be opened and closes the connection. Most likely you see this afterwards. Try to check with tcpdump if you see any reason for the drop. 

    Use Wireshark on a client, then open the website and check the HTTP Pakets. 

    __________________________________________________________________________________________________________________

Children
No Data
Unfiltered HTML