This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS 18.5 MR3 trying to send WAN Data over dedicated HA-Link mv-pcimux0 - Invalid Traffic

I have noticed this on a XGS136 18.5 MR3, the machine is in HA and when viewing firewall log it is full of invalid traffic logs.

When doing tcpdump I can see in GUI that it resolves the out interface as Port10 which is my dedicated HA interface.

The Interface is in a dedicated Zone "HA", not WAN.

When doing tcpdump I can see the out interface listed as mv-pcimux0

What is that mv-pcimux0? And why is XGS using that as out interface??

Port2 is the single WAN Gateway the machine has.

XGS136_XN01_SFOS 18.5.3 MR-3-Build408# tcpdump -i any host 10.1.254.22 and host
52.17.61.242 or host 18.158.22.135 -nve
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:31:38.628537 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63654, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [S], cksum 0x3163 (incorrect -> 0xee49), seq 3596046757, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:31:38.628542 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63654, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [S], cksum 0x3163 (incorrect -> 0xee49), seq 3596046757, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:31:38.662125 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 242, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [S.], cksum 0xb8e0 (correct), seq 3975696747, ack 3596046758, win 26883, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0
14:31:38.662168 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63655, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x61d2), ack 1, win 229, length 0
14:31:38.662171 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63655, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x61d2), ack 1, win 229, length 0
14:31:38.662624 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 285: (tos 0x0, ttl 64, id 63656, offset 0, flags [DF], proto TCP (6), length 269)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x323c (incorrect -> 0x8802), seq 1:230, ack 1, win 229, length 229
14:31:38.662628 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 285: (tos 0x0, ttl 64, id 63656, offset 0, flags [DF], proto TCP (6), length 269)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x323c (incorrect -> 0x8802), seq 1:230, ack 1, win 229, length 229
14:31:38.681184 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 242, id 15660, offset 0, flags [DF], proto TCP (6), length 40)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [.], cksum 0x6164 (correct), ack 230, win 110, length 0
14:31:38.682162 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 242, id 15661, offset 0, flags [DF], proto TCP (6), length 1500)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [.], cksum 0x61aa (correct), seq 1:1461, ack 230, win 110, length 1460
14:31:38.682182 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63657, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x5b23), ack 1461, win 251, length 0
14:31:38.682184 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63657, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x5b23), ack 1461, win 251, length 0
14:31:38.682187 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 242, id 15662, offset 0, flags [DF], proto TCP (6), length 1500)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [.], cksum 0xf8bf (correct), seq 1461:2921, ack 230, win 110, length 1460
14:31:38.682199 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63658, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x5558), ack 2921, win 274, length 0
14:31:38.682201 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63658, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x5558), ack 2921, win 274, length 0
14:31:38.682208 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 242, id 15663, offset 0, flags [DF], proto TCP (6), length 1500)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [.], cksum 0xeee4 (correct), seq 2921:4381, ack 230, win 110, length 1460
14:31:38.682219 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63659, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x4f8d), ack 4381, win 297, length 0
14:31:38.688763 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 222: (tos 0x0, ttl 64, id 63661, offset 0, flags [DF], proto TCP (6), length 206)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x31fd (incorrect -> 0xfa01), seq 230:396, ack 5429, win 320, length 166
14:31:38.688767 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 222: (tos 0x0, ttl 64, id 63661, offset 0, flags [DF], proto TCP (6), length 206)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x31fd (incorrect -> 0xfa01), seq 230:396, ack 5429, win 320, length 166
14:31:38.695820 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 402: (tos 0x0, ttl 242, id 15665, offset 0, flags [DF], proto TCP (6), length 386)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [P.], cksum 0xab3a (correct), seq 5429:5775, ack 396, win 114, length 346
14:31:38.715856 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 493: (tos 0x0, ttl 64, id 63662, offset 0, flags [DF], proto TCP (6), length 477)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x330c (incorrect -> 0x18e8), seq 396:833, ack 5775, win 343, length 437
14:31:38.715863 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 493: (tos 0x0, ttl 64, id 63662, offset 0, flags [DF], proto TCP (6), length 477)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [P.], cksum 0x330c (incorrect -> 0x18e8), seq 396:833, ack 5775, win 343, length 437
14:31:38.765165 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 125: (tos 0x0, ttl 242, id 15667, offset 0, flags [DF], proto TCP (6), length 109)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [P.], cksum 0x6578 (correct), seq 6132:6201, ack 833, win 118, length 69
14:31:38.765182 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63663, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3163 (incorrect -> 0x6485), ack 5775, win 343, options [nop,nop,sack 1 {6132:6201}], length 0
14:31:38.765183 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63663, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3163 (incorrect -> 0x6485), ack 5775, win 343, options [nop,nop,sack 1 {6132:6201}], length 0
14:31:38.769137 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 125: (tos 0x0, ttl 242, id 15668, offset 0, flags [DF], proto TCP (6), length 109)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [FP.], cksum 0x600d (correct), seq 6201:6270, ack 833, win 118, length 69
14:31:38.769154 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63664, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3163 (incorrect -> 0x643f), ack 5775, win 343, options [nop,nop,sack 1 {6132:6271}], length 0
14:31:38.769156 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 64, id 63664, offset 0, flags [DF], proto TCP (6), length 52)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3163 (incorrect -> 0x643f), ack 5775, win 343, options [nop,nop,sack 1 {6132:6271}], length 0
14:31:38.799372 Port2, IN:  In 3c:a6:2f:d3:5a:7d ethertype IPv4 (0x0800), length 413: (tos 0x0, ttl 242, id 15669, offset 0, flags [DF], proto TCP (6), length 397)
    18.158.22.135.443 > 10.1.254.22.46018: Flags [P.], cksum 0x4560 (correct), seq 5775:6132, ack 833, win 118, length 357
14:31:38.799391 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63665, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x458c), ack 6271, win 365, length 0
14:31:38.799393 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63665, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [.], cksum 0x3157 (incorrect -> 0x458c), ack 6271, win 365, length 0
14:31:38.800877 Port2, OUT: Out c8:4f:86:33:33:33 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63666, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [R.], cksum 0x3157 (incorrect -> 0x4588), seq 833, ack 6271, win 365, length 0
14:31:38.800883 mv-pcimux0, OUT: Out c4:c5:c6:c7:c8:c9 ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 63666, offset 0, flags [DF], proto TCP (6), length 40)
    10.1.254.22.46018 > 18.158.22.135.443: Flags [R.], cksum 0x3157 (incorrect -> 0x4588), seq 833, ack 6271, win 365, length 0

Time

In interface

Out interface

Ethernet type

Source IP

Destination IP

Packet type

Ports [src,dst]

NAT ID

Rule ID

Status

Reason

25.05.2022 14:16

Port10

Port2

IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

Forwarded
25.05.2022 14:16 IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

Violation

INVALID_TRAFFIC

25.05.2022 14:16

Port10

IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

Incoming
25.05.2022 14:16

Port10

Port2

IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

Forwarded
25.05.2022 14:16 IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

Violation

INVALID_TRAFFIC

25.05.2022 14:16

Port10

IPv4 10.1.254.22 18.158.22.135 TCP 28772,443

0

0

Incoming
25.05.2022 14:16 IPv4 18.158.22.135 10.1.254.22 TCP 443,28772

0

0

Violation

INVALID_TRAFFIC

25.05.2022 14:16

Port2

IPv4 18.158.22.135 10.1.254.22 TCP 443,28772

0

0

Incoming



This thread was automatically locked due to age.
Parents
  • Hello ,

    Thank you for reaching to the community, The mv-pcimux0 is the interface between the x86 and the NPU on desktops. 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Thank you for this quick information.

    that sounds buggy. I'm rebooting the machine right now. lets see what it does afterwards

  • I totally agree.

    Lets see what it does when I power on the Aux node. I hope it does not mix up packets to/from Dedicated HA Link Port10.

  • here it is again.

    a WiFi device joined the SSID and then tcpdump catched traffic from and to WAN appearing on the HA Port Port10.

    XGS136_XN01_SFOS 18.5.3 MR-3-Build408# tcpdump -i Port10  host not 224.0.0.18 and host not 225.0.0.50 and host not 10.1.178.5 and port not 22 -nve
    tcpdump: listening on Port10, link-type EN10MB (Ethernet), capture size 262144 bytes
    15:51:08.292158 Port10, OUT: 7c:5a:1c:b1:9d:19 > 7c:5a:1c:b1:b1:59, ethertype ARP (0x0806), length 52: Ethernet (len 6), IPv4 (len 4), Unknown (202)
            0x0000:  0001 0800 0604 00ca a4e4 b8af 1a2e c0a8  ................
            0x0010:  3a02 6c61 6730 2e31 3035 3800 0000 0000  :.lag0.1058.....
            0x0020:  0000 c0a8 3a01                           ....:.
    15:51:16.949485 Port10, IN: 7c:5a:1c:b1:b1:59 > 7c:5a:1c:b1:9d:19, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 26511, offset 0, flags [DF], proto TCP (6), length 40)
        10.1.254.22.10378 > 52.17.61.242.443: Flags [F.], cksum 0x0966 (correct), seq 2977724231, ack 205245345, win 365, length 0
    15:51:16.949892 Port10, IN: 7c:5a:1c:b1:b1:59 > 7c:5a:1c:b1:9d:19, ethertype IPv4 (0x0800), length 124: (tos 0x0, ttl 64, id 53525, offset 0, flags [DF], proto UDP (17), length 110)
        10.1.254.22.30724 > 10.1.254.17.53: 7781+ A? kolid-appli-1p0ixt9u458fq-1146947762.eu-west-1.elb.amazonaws.com. (82)
    15:51:16.949952 Port10, IN: 7c:5a:1c:b1:b1:59 > 7c:5a:1c:b1:9d:19, ethertype IPv4 (0x0800), length 124: (tos 0x0, ttl 64, id 53526, offset 0, flags [DF], proto UDP (17), length 110)
        10.1.254.22.10730 > 10.1.254.17.53: 13695+ AAAA? kolid-appli-1p0ixt9u458fq-1146947762.eu-west-1.elb.amazonaws.com. (82)
    15:51:16.952140 Port10, OUT: 7c:5a:1c:b1:9d:19 > 7c:5a:1c:b1:b1:59, ethertype IPv4 (0x0800), length 85: (tos 0x0, ttl 230, id 16627, offset 0, flags [DF], proto TCP (6), length 71)
        52.17.61.242.443 > 10.1.254.22.10378: Flags [P.], cksum 0x2f32 (correct), seq 1:32, ack 0, win 114, length 31
    15:51:16.952379 Port10, IN: 7c:5a:1c:b1:b1:59 > 7c:5a:1c:b1:9d:19, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 61580, offset 0, flags [DF], proto TCP (6), length 40)
        10.1.254.22.10378 > 52.17.61.242.443: Flags [R], cksum 0xe2bc (correct), seq 2977724231, win 0, length 0
    15:51:16.955247 Port10, OUT: 7c:5a:1c:b1:9d:19 > 7c:5a:1c:b1:b1:59, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 230, id 16628, offset 0, flags [DF], proto TCP (6), length 40)
        52.17.61.242.443 > 10.1.254.22.10378: Flags [F.], cksum 0x0a42 (correct), seq 32, ack 0, win 114, length 0
    15:51:16.955464 Port10, IN: 7c:5a:1c:b1:b1:59 > 7c:5a:1c:b1:9d:19, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 61581, offset 0, flags [DF], proto TCP (6), length 40)
        10.1.254.22.10378 > 52.17.61.242.443: Flags [R], cksum 0xe2bc (correct), seq 2977724231, win 0, length 0
    15:51:16.974328 Port10, OUT: 7c:5a:1c:b1:9d:19 > 7c:5a:1c:b1:b1:59, ethertype IPv4 (0x0800), length 156: (tos 0x0, ttl 64, id 11442, offset 0, flags [none], proto UDP (17), length 142)
        10.1.254.17.53 > 10.1.254.22.30724: 7781 2/0/0 kolid-appli-1p0ixt9u458fq-1146947762.eu-west-1.elb.amazonaws.com. A 52.17.61.242, kolid-appli-1p0ixt9u458fq-1146947762.eu-west-1.elb.amazonaws.com. A 52.51.150.191 (114)
    15:51:16.976872 Port10, OUT: 7c:5a:1c:b1:9d:19 > 7c:5a:1c:b1:b1:59, ethertype IPv4 (0x0800), length 206: (tos 0x0, ttl 64, id 11445, offset 0, flags [none], proto UDP (17), length 192)
        10.1.254.17.53 > 10.1.254.22.10730: 13695 0/1/0 (164)
    

    is that a bug caused by the NPU or what is the reason it is showing the traffic on the HA Port?

    Time

    In interface

    Out interface

    Ethernet type

    Source IP

    Destination IP

    Packet type

    Ports [src,dst]

    NAT ID

    Rule ID

    Status

    Reason

    25.05.2022 15:51 IPv4 52.17.61.242 10.1.254.22 TCP 443,10378

    0

    0

    Violation

    INVALID_TRAFFIC

    25.05.2022 15:51

    Port2

    IPv4 52.17.61.242 10.1.254.22 TCP 443,10378

    0

    0

    Incoming
    25.05.2022 15:51

    Port10

    Port2

    IPv4 10.1.254.22 52.17.61.242 TCP 10378,443

    0

    0

    Forwarded
    25.05.2022 15:51 IPv4 10.1.254.22 52.17.61.242 TCP 10378,443

    0

    0

    Violation

    INVALID_TRAFFIC

    25.05.2022 15:51

    Port10

    IPv4 10.1.254.22 52.17.61.242 TCP 10378,443

    0

    0

    Incoming
    25.05.2022 15:51 IPv4 52.17.61.242 10.1.254.22 TCP 443,10378

    0

    0

    Violation

    INVALID_TRAFFIC

    25.05.2022 15:51

    Port2

    IPv4 52.17.61.242 10.1.254.22 TCP 443,10378

    0

    0

    Incoming
    25.05.2022 15:51

    Port10

    Port2

    IPv4 10.1.254.22 10.1.254.17 UDP 10730,53

    0

    0

    Forwarded

    here the interfaces. The networks are a bit similar but completely different subnets. maybe that is an issue something cannot handle properly.

    and the zones

  • HA is deployed in Active-Passive OR Active-Active ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • here the interfaces. The networks are a bit similar but completely different subnets. maybe that is an issue something cannot handle properly

    I'm quite sure, it has something to do with this WAN setup because I have seen this in the logs of other XGS HA clusters that we've had on the 10.1.254.xx WAN Subnet. As soon as we moved the HA clusters to the new location with completely different WAN gateway IP, the invalid traffic logs disappeared from the logs.

    It is our setup WAN behind a fritzbox when we deploy new firewalls.

    I try defining a different HA IP Range for the affected cluster.

  • I believe the packets going into the HA is quite okay...

    High Availability - Load Balance Packet Flow

    Primary appliance takes ownership of vMAC hence all the traffic would go to Primary appliance first. Primary appliance will be performing load balance for TCP traffic and rest traffic will be processed by Primary appliance.

    Load balance packet flow

    In above scenario client machine initiates Internet request for web server IP 98.139.183.24. Packet is forwarded to primary appliance. On Primary appliance you would see below packet request:
    15:16:35.832253 PortB, IN: IP 172.16.6.3.60094 > 98.139.183.24.80: Flags [S], seq 2613888956, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

    For load balance Primary appliance will forward packet to LAN interface:
    15:16:35.832311 PortB, OUT: IP 172.16.6.3.60094 > 98.139.183.24.80: Flags [S], seq 2613888956:2613889132, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 176

    Auxiliary appliance will receive same packet on LAN interface:
    15:16:35.980013 PortB, IN: IP 172.16.6.3.60094 > 98.139.183.24.80: Flags [S], seq 2613888956:2613889132, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 176

    Auxiliary appliance will apply MASQ and forwards packet to destination server with source MAC as primary’s WAN interface virtual MAC:
    15:16:35.985601 PortA, OUT: IP 192.168.1.7.60094 > 98.139.183.24.80: Flags [S], seq 2613888956, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 176

    Server sends response packet to Primary appliance on WAN interface:
    15:16:40.029897 PortA, IN: IP 98.139.183.24.80 > 192.168.1.7.60094: Flags [S.], seq 636427525, ack 590968293, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

    As primary appliance maintains conntrack for all shared traffic with Auxiliary appliance, it knows that reply packets belongs to Auxiliary appliance so it forwards those packets to Auxiliary:
    15:16:40.029907 PortA, OUT: IP 98.139.183.24.80 > 192.168.1.7.60094: Flags [S.], seq 636427525, ack 590968293, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

    Auxiliary receives incoming packet on WAN interface:
    15:16:40.177675 PortA, IN: IP 98.139.183.24.80 > 192.168.1.7.60094: Flags [S.], seq 636427525, ack 590968293, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

    Auxiliary appliance will check conntrack and forwards packet to LAN interface:
    15:16:40.178126 PortB, OUT: IP 98.139.183.24.80 > 192.168.1.7.60094: Flags [S.], seq 636427525, ack 590968293, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • it is still happening. changed HA IPs from 10.1.178. to a random 192.168.192. network.

    16:42:08.016949 Port10, IN: 7c:5a:1c:b1:b1:59 > 7c:5a:1c:b1:9d:19, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 38774, offset 0, flags [DF], proto TCP (6), length 40)
        10.1.254.22.19000 > 52.51.150.191.443: Flags [F.], cksum 0xc1f3 (correct), seq 2230448672, ack 3401288615, win 365, length 0
    16:42:08.017192 Port10, IN: 7c:5a:1c:b1:b1:59 > 7c:5a:1c:b1:9d:19, ethertype IPv4 (0x0800), length 124: (tos 0x0, ttl 64, id 48180, offset 0, flags [DF], proto UDP (17), length 110)
        10.1.254.22.26347 > 10.1.254.17.53: 42060+ A? kolid-appli-1p0ixt9u458fq-1146947762.eu-west-1.elb.amazonaws.com. (82)
    16:42:08.017254 Port10, IN: 7c:5a:1c:b1:b1:59 > 7c:5a:1c:b1:9d:19, ethertype IPv4 (0x0800), length 124: (tos 0x0, ttl 64, id 48181, offset 0, flags [DF], proto UDP (17), length 110)
        10.1.254.22.49086 > 10.1.254.17.53: 15159+ AAAA? kolid-appli-1p0ixt9u458fq-1146947762.eu-west-1.elb.amazonaws.com. (82)
    16:42:08.018377 Port10, OUT: 7c:5a:1c:b1:9d:19 > 7c:5a:1c:b1:b1:59, ethertype IPv4 (0x0800), length 156: (tos 0x0, ttl 64, id 49242, offset 0, flags [none], proto UDP (17), length 142)
        10.1.254.17.53 > 10.1.254.22.26347: 42060 2/0/0 kolid-appli-1p0ixt9u458fq-1146947762.eu-west-1.elb.amazonaws.com. A 52.17.61.242, kolid-appli-1p0ixt9u458fq-1146947762.eu-west-1.elb.amazonaws.com. A 52.51.150.191 (114)
    16:42:08.018598 Port10, OUT: 7c:5a:1c:b1:9d:19 > 7c:5a:1c:b1:b1:59, ethertype IPv4 (0x0800), length 206: (tos 0x0, ttl 64, id 49243, offset 0, flags [none], proto UDP (17), length 192)
        10.1.254.17.53 > 10.1.254.22.49086: 15159 0/1/0 (164)
    16:42:08.018927 Port10, IN: 7c:5a:1c:b1:b1:59 > 7c:5a:1c:b1:9d:19, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 36421, offset 0, flags [DF], proto TCP (6), length 52)
        10.1.254.22.27530 > 52.17.61.242.443: Flags [S], cksum 0xb114 (correct), seq 680541180, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    16:42:08.022930 Port10, OUT: 7c:5a:1c:b1:9d:19 > 7c:5a:1c:b1:b1:59, ethertype IPv4 (0x0800), length 85: (tos 0x0, ttl 230, id 2461, offset 0, flags [DF], proto TCP (6), length 71)
        52.51.150.191.443 > 10.1.254.22.19000: Flags [P.], cksum 0xd143 (correct), seq 1:32, ack 0, win 114, length 31
    16:42:08.022984 Port10, OUT: 7c:5a:1c:b1:9d:19 > 7c:5a:1c:b1:b1:59, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 230, id 2462, offset 0, flags [DF], proto TCP (6), length 40)
        52.51.150.191.443 > 10.1.254.22.19000: Flags [F.], cksum 0xc2cf (correct), seq 32, ack 0, win 114, length 0
    

    WAN traffic moves over HA Link as shown from tcpdump.

    No internet connection is possible from behind that XGS anymore. What a mess.

    I only get invalid TCP state logs, nothing else.

  • The second appliance is doing lookups and pattern updates etc. This will be done via Primary Appliance. That is the traffic generated from HA Interface. 

    Likely the invalid traffic logging will be done because of duplicated packets but it should work as intended. 

    __________________________________________________________________________________________________________________

  • Wait a minute. You are following different things right now. 

    What is your issue? 
    No Internet connection? Stop focusing on this (This is only the Aux Appliance updating). 

    Start to do a dump from your client. 

    __________________________________________________________________________________________________________________

  • thanks  your first answer is probably what I'm seeing in tcpdump.

    I wonder why I see so much invalid traffic on this HA cluster and *nothing* on the others (in production, on other WAN lines)

    about the second: no internet connection - I restored a backup, re-established HA and Central Communication

    And internet connection was possible again.

    This was the one of three clusters that failed to update both nodes during MR2 to MR3 update. Maybe I have to re-image both boxes, not only the aux.

Reply Children
No Data