Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Unreachable websites

Using xg 135 model. Updated to the latest firmware however, some sites provider.cignaenvoy.com are unreachable. I am able to get a reply when I ping the site.



Added TAgs
[edited by: Erick Jan at 12:35 AM (GMT -7) on 27 May 2024]
  • Hi err,

    Please check output from SSH with option 4 

    console>tcpdump 'host provider.cignaenvoy.com 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • This is the reply i get from tcpdump

    15:36:26.723811 Port7, IN: IP 192.X.X.X.13610 > 170.48.14.103.443: Flags [S
    ], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:36:26.723827 Port2.XXXX, OUT: IP 192.X.X.X.13610 > 170.48.14.103.443: Fl
    ags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:36:26.723829 Port2, OUT: ethertype IPv4, IP 192.X.X.X.13610 > 170.48.14.
    103.443: Flags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0    
  • As per the logs request is sending OUT from Port 2 ISP no reply back on Port 2 with IN packet you need to contact your ISP to allow the access.

    15:36:26.723827 Port2.XXXX, OUT: IP 192.X.X.X.13610 > 170.48.14.103.443: Fl
    ags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:36:26.723829 Port2, OUT: ethertype IPv4, IP 192.X.X.X.13610 > 170.48.14.
    103.443: Flags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0    


    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 byt
    es                                                                              
    15:40:30.195183 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:30.195245 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:30.195248 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:30.195381 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:30.195418 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:30.195420 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:30.459658 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:30.459705 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:30.459708 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:31.207145 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:31.207162 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:31.207163 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:31.207147 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:31.207170 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:31.207172 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:31.473123 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:31.473134 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:31.473136 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:33.213751 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:33.213764 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:33.213765 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:33.213752 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:33.213772 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:33.213773 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:33.480551 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:33.480567 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:33.480569 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:37.216430 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:37.216444 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:37.216446 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:37.216432 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:37.216452 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:37.216454 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:37.484614 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:37.484625 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:37.484627 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:45.224143 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
    ], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
    gth 0                                                                           
    15:40:45.224157 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
    ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
    ], length 0                                                                     
    15:40:45.224159 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
    103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
    ,nop,sackOK], length 0                                                          
    15:40:45.224145 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
    ], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:45.224167 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
    ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:45.224168 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
    103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0                                                         
    15:40:45.492100 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
    ], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
    ngth 0                                                                          
    15:40:45.492112 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
    ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
    K], length 0                                                                    
    15:40:45.492113 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
    103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
    p,nop,sackOK], length 0
  • i got a differenct reply on creating a firewall rule specific to that access. what can be the issue causing the site to be unreachable?

  • If you look again into the logs you will not get Port2, IN packet 

    As per the logs Port 2 is sending request OUT with SYN no three way handshake is getting completed.

    You need to allow it from ISP end.

    For reference I will share working logs 

    Request is going out from firewall 

    00:16:55.762115 PortB, OUT: IP 192.168.183.134.54198 > 170.48.14.103.443: Flags [S], seq 3822245617, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

    Reply coming back from ISP 


    00:16:56.068612 PortB, IN: IP 170.48.14.103.443 > 192.168.183.134.54198: Flags [S.], seq 2029126218, ack 3822245618, win 64240, options [mss 1460], length 0

    Three way handshake is getting completed with Syn-Ack


    00:16:56.079873 PortB, OUT: IP 192.168.183.134.54198 > 170.48.14.103.443: Flags [.], ack 1, win 29200, length 0

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Hello,
    as Bharat J already wrote, the TCP connection is not established.
    There can be various reasons for this:
    - Web service on the target server is down (can it be reached from another network or cell phone?)
    - you are blacklisted (can it be reached from another network or cell phone?)
    - your provider (or country) didn't allow the connection
    - you use IP instead of FQDN and server denies an answer
    - other technical problems

    possible next steps:
    do you get an error message? (check logviewer too)
    you my try "tcping" tool to check lower layers of TCP-connection (but the missing "SYN ACK" answer this question too)
    you my try ssl-labs or testtls to check server reachability


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • BUT ...
    Why, we see a private IP at the Outbound interface too?

    15:40:37.216452 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443

    Is there another device in front of sophos firewall for SNAT/Masquerade the outbound traffic ?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.