This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

InactiveRpcError when using Sophos FW

A few users in our network use Python & Java scripts to connect to some services on AWS. The scripts work fine when bypassing the Sophos FW or using mobile hotspots. But when using Sophos the users see errors like this in their terminals:

Exception has occurred: _InactiveRpcError
<_InactiveRpcError of RPC that terminated with:
	status = StatusCode.UNAVAILABLE
	details = "failed to connect to all addresses; last error: UNAVAILABLE: ipv4:x.x.x.x:80: Connection timed out"
	debug_error_string = "UNKNOWN:failed to connect to all addresses; last error: UNAVAILABLE: ipv4:x.x.x.x:80: Connection timed out {grpc_status:14, created_time:"2023-08-29T11:22:07.56380364+00:00"}"
>
  File "C:\Users\imesh\Desktop\fw_test.py", line 27, in <module>
    qid = cursor.execute('select * from date_dim limit 3')
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
	status = StatusCode.UNAVAILABLE
	details = "failed to connect to all addresses; last error: UNAVAILABLE: ipv4:x.x.x.x:80: Connection timed out"
	debug_error_string = "UNKNOWN:failed to connect to all addresses; last error: UNAVAILABLE: ipv4:x.x.x.x:80: Connection timed out {grpc_status:14, created_time:"2023-08-29T11:22:07.56380364+00:00"}"
>

In the firewall logs, I see a few denied packets with this error: Could not associate packet to any connection.

Any idea what could be causing this?

This thread was automatically locked due to age.

Top Replies

Vishal_R over 1 year ago +1 suggested

Hi Imesh Liyanage Please check the below thread suggested settings and solution if that works for you here for this error: community.sophos.com/.../https-timeout

Parents

0 Vishal_R over 1 year ago

Hi Imesh Liyanage Please check the below thread suggested settings and solution if that works for you here for this error:

community.sophos.com/.../https-timeout

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Cancel

0 Imesh Liyanage over 1 year ago in reply to Vishal_R

Hi Vishal_R, I changed these settings and the timeout seems to be solved by now the connection gets reset.

The users said that this connection uses http/2 & gRPC protocols

  File "C:\Users\imesh\AppData\Local\Programs\Python\Python311\Lib\site-packages\grpc\_channel.py", line 1004, in _end_unary_response_blocking
    raise _InactiveRpcError(state)  # pytype: disable=not-instantiable
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
        status = StatusCode.UNAVAILABLE
        details = "failed to connect to all addresses; last error: UNAVAILABLE: ipv4:x.x.x.x:80: Connection reset"
        debug_error_string = "UNKNOWN:failed to connect to all addresses; last error: UNAVAILABLE: ipv4:x.x.x.x:80: Connection reset {created_time:"2023-08-30T09:38:13.3250284+00:00", grpc_status:14}"

0 Vishal_R over 1 year ago in reply to Imesh Liyanage

Hi Imesh Liyanage Thanks for the feedback and latest status details, can you try creating a plain firewall rule for that destination IP in the Firewall? if the existing rule is with any policy and scanning then want to confirm with the plain rule - whether we are getting the same result or a different one.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Imesh Liyanage over 1 year ago in reply to Vishal_R

Hi Vishal_R I created an Allow All rule for the two IPs and the scripts run fine
Cancel
Vote Up 0 Vote Down

Cancel
0 Vishal_R over 1 year ago in reply to Imesh Liyanage

Hi Imesh Liyanage Perfect! Regarding the traffic via the original rule for which connection is getting RESET may have different possible reasons, like Firewall DPI/Proxy coming into the picture and inserting Firewall cert, which is not accepted by the remote server, or many more..! If you want more investigation on same - why it works with plain rule and why with the original rule you are getting RESET error then you may log a support case for same, so support team may review the logs for the required services along with tcpdump and PCAP files for those IPs.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vishal_R over 1 year ago in reply to Imesh Liyanage

Hi Imesh Liyanage Perfect! Regarding the traffic via the original rule for which connection is getting RESET may have different possible reasons, like Firewall DPI/Proxy coming into the picture and inserting Firewall cert, which is not accepted by the remote server, or many more..! If you want more investigation on same - why it works with plain rule and why with the original rule you are getting RESET error then you may log a support case for same, so support team may review the logs for the required services along with tcpdump and PCAP files for those IPs.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Imesh Liyanage over 1 year ago in reply to Vishal_R

Thanks Vishal_R I'll open a support case
Cancel
Vote Up +1 Vote Down

Cancel
+1 Imesh Liyanage over 1 year ago in reply to Imesh Liyanage

Vishal_R this issue went away when I unlinked the default NAT rule from the default firewall rule
Cancel
Vote Up +1 Vote Down

Cancel