This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS126 (SFOS 19.5.2 MR-2-Build624) Problems forwarding traffic

Hello everyone, I joined the Sophos community, after having tried UTM9, I was delighted with its simplicity and functionality/security, so I decided to migrate my company's firewall system to XGS 136, I thought well if UTM is already good, this one should be even better!
Well that's when the nightmare started, I've been trying to implement this network diagram for 2 months now:

In UTM9, just the route and this firewall rule, everything works perfect

In XGS, according to the same logic, route and rule does not work:

Strangely, UDP port 161 passes but TCP 9100 does not!

Also to reach servers in the remote site example RDP, I can only do it with a NAT MSQD, but from there it doesn't work, nor impersions made from there pass to here.

Any suggestions, Thanks everyone.

This thread was automatically locked due to age.

Top Replies

Vivek Jagad over 1 year ago in reply to Claudio Teixeira +1 suggested

You can reduce the number of invalid traffic events logged by increasing the Tcp Connection Establishment Idle Timeout value, did you tried that ?

Parents

0 Vivek Jagad over 1 year ago

Hello Claudio Teixeira ,

Thank you for reaching out to the community, so you have already created a Linked NAT in the LAN to Coop Rule ?
For the Port 9100 the error you receive is "could not associate packet to any connection." For that refer the Invalid traffic events.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Claudio Teixeira over 1 year ago in reply to Vivek Jagad

Hi Vivek,

Although it is not necessary to do NAT in UTM, yes I have already tried to do several types of NAT/SNAT, 2 months looking for solutions and trying.

2023-07-20 17:30:06Firewallmessageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" fw_rule_name="" fw_rule_section="" nat_rule_id="0" nat_rule_name="" policy_type="0" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="0" gw_name_request="" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="128.135.3.3" src_country="USA" dst_ip="219.170.1.51" dst_country="JPN" protocol="TCP" src_port="9100" dst_port="60215" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Could not associate packet to any connection." appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"

Ethernet header
Source MAC address:00:26:73:ad:55:c8
Destination MAC address: 7c:5a:1c:a7:66:00
Ethernet type IPv4 (0x800)

IPv4 Header
Source IP address:128.135.3.3
Destination IP address:219.170.1.51
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 48 Bytes
Identification:16570
Fragment offset:16384
Time to live: 64
Checksum: 39334

TCP Header:
Source port: 9100
Destination port: 50980
Flags: SYN
Sequence number: 2962928432
Acknowledgement number: 3648007474
Window: 23
Checksum: 52849

Ethernet header
Source MAC address:
Destination MAC address:
Ethernet type IPv4 (0x800)

IPv4 Header
Source IP address:128.135.3.3
Destination IP address:219.170.1.51
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 48 Bytes
Identification:16569
Fragment offset:16384
Time to live: 64
Checksum: 39335

TCP Header:
Source port: 9100
Destination port: 50980
Flags: SYN
Sequence number: 2962928432
Acknowledgement number: 3648007474
Window: 23
Checksum: 52849

Tanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Claudio Teixeira

You can reduce the number of invalid traffic events logged by increasing the Tcp Connection Establishment Idle Timeout value, did you tried that ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Claudio Teixeira over 1 year ago in reply to Vivek Jagad

Yes, i tried this:

set advanced-firewall tcp-est-idle-timeout 21600
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Claudio Teixeira

can you capture the live traffic for particular destination service/IP
using the following methods below, to understand the communication:
> Monitor traffic using packet capture.
> Create and download a packet capture.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vivek Jagad over 1 year ago in reply to Claudio Teixeira

can you capture the live traffic for particular destination service/IP
using the following methods below, to understand the communication:
> Monitor traffic using packet capture.
> Create and download a packet capture.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Claudio Teixeira over 1 year ago in reply to Vivek Jagad

----------Incoming----------

Ethernet header
Source MAC address:00:26:73:ad:55:c8
Destination MAC address: 7c:5a:1c:a7:66:00
Ethernet type IPv4 (0x800)

IPv4 Header
Source IP address:128.135.3.3
Destination IP address:219.170.1.51
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 48 Bytes
Identification:27825
Fragment offset:16384
Time to live: 64
Checksum: 28079

TCP Header:
Source port: 9100
Destination port: 60617
Flags: SYN
Sequence number: 942476296
Acknowledgement number: 2705677714
Window: 23
Checksum: 53293

------------Violation----------------------

Ethernet header
Source MAC address:
Destination MAC address:
Ethernet type IPv4 (0x800)

IPv4 Header
Source IP address:128.135.3.3
Destination IP address:219.170.1.51
protocol: TCP
Header:20 Bytes
Type of service: 0
Total length: 48 Bytes
Identification:27824
Fragment offset:16384
Time to live: 64
Checksum: 28080

TCP Header:
Source port: 9100
Destination port: 60617
Flags: SYN
Sequence number: 942476296
Acknowledgement number: 2705677714
Window: 23
Checksum: 53293

Tnaks
Cancel
Vote Up 0 Vote Down

Cancel
0 Claudio Teixeira over 1 year ago in reply to Claudio Teixeira

No. Time Source Destination Protocol Length Info
1 0.000000 128.135.3.3 219.170.1.51 TCP 64 9100 → 54960 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
2 1.966073 128.135.3.3 219.170.1.51 TCP 64 9100 → 54971 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
3 6.953559 128.135.3.3 219.170.1.51 TCP 64 9100 → 54981 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
4 9.960769 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54981 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
5 9.969119 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54981 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
6 15.970032 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54981 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
7 15.979191 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54981 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
8 19.893999 128.135.3.3 219.170.1.51 SNMP 125 get-response 1.3.6.1.2.1.25.3.2.1.5.1 1.3.6.1.2.1.25.3.5.1.1.1 1.3.6.1.2.1.25.3.5.1.2.1
9 26.040372 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54971 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
10 28.016528 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54981 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
11 38.004668 128.135.3.3 219.170.1.51 TCP 64 9100 → 54985 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
12 39.608380 Ricoh_ad:55:c8 ARP 62 Who has 128.135.2.147? Tell 128.135.3.3
13 39.608412 Ricoh_ad:55:c8 ARP 62 Who has 128.135.2.147? Tell 128.135.3.3
14 39.608413 Ricoh_ad:55:c8 ARP 62 Who has 128.135.2.147? Tell 128.135.3.3
15 39.608413 Ricoh_ad:55:c8 ARP 62 Who has 128.135.2.147? Tell 128.135.3.3
16 41.004364 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54985 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
17 41.006444 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54985 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
18 47.020672 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54985 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
19 47.025014 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54985 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
20 52.090822 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54981 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
21 59.062347 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54985 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
22 64.039122 128.135.3.3 219.170.1.51 TCP 64 9100 → 54998 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
23 67.046996 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54998 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
24 67.054350 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54998 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
25 73.065581 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54998 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
26 73.070702 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54998 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
27 80.041857 128.135.3.3 219.170.1.51 SNMP 125 get-response 1.3.6.1.2.1.25.3.2.1.5.1 1.3.6.1.2.1.25.3.5.1.1.1 1.3.6.1.2.1.25.3.5.1.2.1
28 83.136667 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54985 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
29 85.102716 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54998 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
30 90.089111 128.135.3.3 219.170.1.51 TCP 64 9100 → 55010 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
31 92.750565 128.135.3.3 170.7.25.1 SNMP 125 get-response 1.3.6.1.2.1.25.3.2.1.5.1 1.3.6.1.2.1.25.3.5.1.1.1 1.3.6.1.2.1.25.3.5.1.2.1
32 93.088845 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55010 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
33 93.097325 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55010 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
34 99.105745 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55010 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
35 99.115866 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55010 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
36 106.578332 Ricoh_ad:55:c8 ARP 62 Who has 128.135.2.22? Tell 128.135.3.3
37 106.578359 Ricoh_ad:55:c8 ARP 62 Who has 128.135.2.22? Tell 128.135.3.3
38 106.578361 Ricoh_ad:55:c8 ARP 62 Who has 128.135.2.22? Tell 128.135.3.3
39 106.578361 Ricoh_ad:55:c8 ARP 62 Who has 128.135.2.22? Tell 128.135.3.3
40 109.177085 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 54998 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
41 111.153173 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55010 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
42 121.140008 Ricoh_ad:55:c8 ARP 62 Who has 128.135.0.253? Tell 128.135.3.3
43 121.140021 Sophos_a7:66:00 ARP 44 128.135.0.253 is at 7c:5a:1c:a7:66:00
44 121.140022 00:00:00_00:00:00 ARP 44 128.135.0.253 is at 7c:5a:1c:a7:66:00
45 121.140045 Ricoh_ad:55:c8 ARP 62 Who has 128.135.0.253? Tell 128.135.3.3
46 121.140047 Ricoh_ad:55:c8 ARP 62 Who has 128.135.0.253? Tell 128.135.3.3
47 121.140047 Ricoh_ad:55:c8 ARP 62 Who has 128.135.0.253? Tell 128.135.3.3
48 121.140170 128.135.3.3 219.170.1.51 TCP 64 9100 → 55020 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
49 124.143279 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55020 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
50 124.155144 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55020 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
51 130.156026 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55020 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
52 130.161708 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55020 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
53 135.227524 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55010 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
54 141.143628 128.135.3.3 219.170.1.51 SNMP 125 get-response 1.3.6.1.2.1.25.3.2.1.5.1 1.3.6.1.2.1.25.3.5.1.1.1 1.3.6.1.2.1.25.3.5.1.2.1
55 142.199012 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55020 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
56 147.174117 128.135.3.3 219.170.1.51 TCP 64 9100 → 55024 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
57 150.173631 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55024 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
58 150.173880 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55024 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
59 156.190497 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55024 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
60 156.192047 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55024 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
61 166.273334 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55020 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
62 168.229392 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55024 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
63 173.224245 128.135.3.3 219.170.1.51 TCP 64 9100 → 55035 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
64 176.224056 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55035 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
65 176.239657 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55035 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
66 182.242634 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55035 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
67 182.256101 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55035 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
68 189.669267 Ricoh_ad:55:c8 ARP 62 Who has 128.135.0.2? Tell 128.135.3.3
69 189.669301 Ricoh_ad:55:c8 ARP 62 Who has 128.135.0.2? Tell 128.135.3.3
70 189.669303 Ricoh_ad:55:c8 ARP 62 Who has 128.135.0.2? Tell 128.135.3.3
71 189.669303 Ricoh_ad:55:c8 ARP 62 Who has 128.135.0.2? Tell 128.135.3.3
72 192.404024 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55024 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
73 194.380092 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55035 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
74 204.275012 128.135.3.3 219.170.1.51 TCP 64 9100 → 55041 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
75 207.274903 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55041 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
76 207.279796 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55041 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
77 213.291312 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55041 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
78 213.298402 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55041 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
79 218.775412 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55035 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
80 225.656673 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55041 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
81 230.309524 128.135.3.3 219.170.1.51 TCP 64 9100 → 55044 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
82 231.311257 128.135.3.3 219.170.1.51 SNMP 125 get-response 1.3.6.1.2.1.25.3.2.1.5.1 1.3.6.1.2.1.25.3.5.1.1.1 1.3.6.1.2.1.25.3.5.1.2.1
83 233.309337 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55044 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
84 233.310146 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55044 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
85 239.325950 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55044 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
86 239.328733 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55044 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
87 249.730989 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55041 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
88 251.366033 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55044 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
89 256.359539 128.135.3.3 219.170.1.51 TCP 64 9100 → 55065 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
90 259.360742 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55065 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
91 259.375062 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55065 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
92 265.379325 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55065 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
93 265.391498 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55065 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
94 275.440352 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55044 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
95 277.416466 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55065 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
96 287.426138 128.135.3.3 219.170.1.51 TCP 64 9100 → 55075 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
97 288.982793 128.135.3.3 128.135.255.255 BROWSER 255 Host Announcement RNP002673AD55C8, Workstation, Server, Print Queue Server
98 288.982915 128.135.3.3 128.135.255.255 BROWSER 255 Host Announcement RNP002673AD55C8, Workstation, Server, Print Queue Server
99 288.982953 128.135.3.3 128.135.255.255 BROWSER 255 Host Announcement RNP002673AD55C8, Workstation, Server, Print Queue Server
100 288.982953 128.135.3.3 128.135.255.255 BROWSER 255 Host Announcement RNP002673AD55C8, Workstation, Server, Print Queue Server
101 290.426641 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55075 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
102 290.441246 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55075 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
103 291.443441 128.135.3.3 219.170.1.51 SNMP 125 get-response 1.3.6.1.2.1.25.3.2.1.5.1 1.3.6.1.2.1.25.3.5.1.1.1 1.3.6.1.2.1.25.3.5.1.2.1
104 296.442161 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55075 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
105 296.445073 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55075 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
106 301.490784 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55065 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
107 308.482368 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55075 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
108 313.475771 128.135.3.3 219.170.1.51 TCP 64 9100 → 55088 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
109 316.475901 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55088 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
110 316.476908 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55088 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
111 322.492252 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55088 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
112 322.495491 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55088 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
113 332.556731 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55075 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
114 334.532790 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55088 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
115 339.526047 128.135.3.3 219.170.1.51 TCP 64 9100 → 55092 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
116 342.527476 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55092 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
117 342.541675 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55092 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
118 348.546075 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55092 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
119 348.557827 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55092 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
120 351.467011 128.135.3.3 219.170.1.51 SNMP 125 get-response 1.3.6.1.2.1.25.3.2.1.5.1 1.3.6.1.2.1.25.3.5.1.1.1 1.3.6.1.2.1.25.3.5.1.2.1
121 358.607122 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55088 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
122 360.583246 128.135.3.3 219.170.1.51 TCP 64 [TCP Retransmission] 9100 → 55092 [SYN, ACK] Seq=0 Ack=1 Win=23 Len=0 MSS=1460 WS=1
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Claudio Teixeira

Can you share the complete pcap file ? Claudio Teixeira I'd like to check it from my end once !

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Claudio Teixeira over 1 year ago in reply to Vivek Jagad

Hello, here are 2 dump's of 128 and 219.

https://mega.nz/folder/PJ1yEIQA#Je9LRgUSQwj2F31UOjaV2Q

Thank you for your help.
Cancel
Vote Up 0 Vote Down

Cancel
0 Claudio Teixeira over 1 year ago in reply to Vivek Jagad

Hello, I have the dump file ready, but I can't load it here in the answer, I replied with a Mega link, but I don't think it was authorized.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Claudio Teixeira

Can you PM (Private message) me ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Claudio Teixeira over 1 year ago in reply to Vivek Jagad

The conversation is currently unavailable because it is pending review by moderators.
Cancel
Vote Up 0 Vote Down

Cancel
0 Claudio Teixeira over 1 year ago in reply to Claudio Teixeira
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Claudio Teixeira

Hey Claudio Teixeira ,
In the handshake process, there is no ack packet from - 128.135.3.3

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Claudio Teixeira over 1 year ago in reply to Vivek Jagad

The packet originates at 219.170.1.51, bound for printer 128.135.3.3.
I don't understand how you get lost
Cancel
Vote Up 0 Vote Down

Cancel