Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 2021 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unreachable websites

err

Using xg 135 model. Updated to the latest firmware however, some sites provider.cignaenvoy.com are unreachable. I am able to get a reply when I ping the site.



This thread was automatically locked due to age.
  • 0

    Hi err,

    Please check output from SSH with option 4 

    console>tcpdump 'host provider.cignaenvoy.com 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    This is the reply i get from tcpdump

    15:36:26.723811 Port7, IN: IP 192.X.X.X.13610 > 170.48.14.103.443: Flags [S
    ], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:36:26.723827 Port2.XXXX, OUT: IP 192.X.X.X.13610 > 170.48.14.103.443: Fl
    ags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:36:26.723829 Port2, OUT: ethertype IPv4, IP 192.X.X.X.13610 > 170.48.14.
    103.443: Flags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0    
  • 0 in reply to err

    As per the logs request is sending OUT from Port 2 ISP no reply back on Port 2 with IN packet you need to contact your ISP to allow the access.

    15:36:26.723827 Port2.XXXX, OUT: IP 192.X.X.X.13610 > 170.48.14.103.443: Fl
    ags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:36:26.723829 Port2, OUT: ethertype IPv4, IP 192.X.X.X.13610 > 170.48.14.
    103.443: Flags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0    

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    thanks.. i appreciate your feedback

  • 0 in reply to Bharat J 
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 byt
    es                                                                              
    15:40:30.195183 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:30.195245 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:30.195248 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:30.195381 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:30.195418 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:30.195420 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:30.459658 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:30.459705 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:30.459708 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:31.207145 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:31.207162 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:31.207163 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:31.207147 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:31.207170 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:31.207172 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:31.473123 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:31.473134 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:31.473136 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:33.213751 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:33.213764 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:33.213765 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:33.213752 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:33.213772 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:33.213773 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:33.480551 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:33.480567 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:33.480569 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:37.216430 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:37.216444 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:37.216446 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:37.216432 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:37.216452 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:37.216454 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:37.484614 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:37.484625 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:37.484627 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:45.224143 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:45.224157 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:45.224159 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:45.224145 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:45.224167 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:45.224168 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:45.492100 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:45.492112 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:45.492113 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0
  • 0 in reply to Bharat J

    i got a differenct reply on creating a firewall rule specific to that access. what can be the issue causing the site to be unreachable?

  • 0 in reply to err

    If you look again into the logs you will not get Port2, IN packet 

    As per the logs Port 2 is sending request OUT with SYN no three way handshake is getting completed.

    You need to allow it from ISP end.

    For reference I will share working logs 

    Request is going out from firewall 

    00:16:55.762115 PortB, OUT: IP 192.168.183.134.54198 > 170.48.14.103.443: Flags [S], seq 3822245617, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

    Reply coming back from ISP 


    00:16:56.068612 PortB, IN: IP 170.48.14.103.443 > 192.168.183.134.54198: Flags [S.], seq 2029126218, ack 3822245618, win 64240, options [mss 1460], length 0

    Three way handshake is getting completed with Syn-Ack


    00:16:56.079873 PortB, OUT: IP 192.168.183.134.54198 > 170.48.14.103.443: Flags [.], ack 1, win 29200, length 0

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to err

    Hello,
    as Bharat J already wrote, the TCP connection is not established.
    There can be various reasons for this:
    - Web service on the target server is down (can it be reached from another network or cell phone?)
    - you are blacklisted (can it be reached from another network or cell phone?)
    - your provider (or country) didn't allow the connection
    - you use IP instead of FQDN and server denies an answer
    - other technical problems

    possible next steps:
    do you get an error message? (check logviewer too)
    you my try "tcping" tool to check lower layers of TCP-connection (but the missing "SYN ACK" answer this question too)
    you my try ssl-labs or testtls to check server reachability


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    BUT ...
    Why, we see a private IP at the Outbound interface too?

    15:40:37.216452 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443

    Is there another device in front of sophos firewall for SNAT/Masquerade the outbound traffic ?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    No there is no other device

Unfiltered HTML