Using xg 135 model. Updated to the latest firmware however, some sites provider.cignaenvoy.com are unreachable. I am able to get a reply when I ping the site.
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
This is the reply i get from tcpdump
15:36:26.723811 Port7, IN: IP 192.X.X.X.13610 > 170.48.14.103.443: Flags [S
], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:36:26.723827 Port2.XXXX, OUT: IP 192.X.X.X.13610 > 170.48.14.103.443: Fl
ags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:36:26.723829 Port2, OUT: ethertype IPv4, IP 192.X.X.X.13610 > 170.48.14.
103.443: Flags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
As per the logs request is sending OUT from Port 2 ISP no reply back on Port 2 with IN packet you need to contact your ISP to allow the access.
15:36:26.723827 Port2.XXXX, OUT: IP 192.X.X.X.13610 > 170.48.14.103.443: Fl
ags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:36:26.723829 Port2, OUT: ethertype IPv4, IP 192.X.X.X.13610 > 170.48.14.
103.443: Flags [S], seq 1974464885, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
Regards
"Sophos Partner: Networkkings Pvt Ltd".
If a post solves your question please use the 'Verify Answer' button.
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 byt
es
15:40:30.195183 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
gth 0
15:40:30.195245 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
], length 0
15:40:30.195248 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
,nop,sackOK], length 0
15:40:30.195381 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:30.195418 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:30.195420 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
15:40:30.459658 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:30.459705 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:30.459708 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
15:40:31.207145 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
gth 0
15:40:31.207162 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
], length 0
15:40:31.207163 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
,nop,sackOK], length 0
15:40:31.207147 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:31.207170 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:31.207172 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
15:40:31.473123 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:31.473134 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:31.473136 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
15:40:33.213751 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
gth 0
15:40:33.213764 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
], length 0
15:40:33.213765 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
,nop,sackOK], length 0
15:40:33.213752 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:33.213772 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:33.213773 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
15:40:33.480551 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:33.480567 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:33.480569 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
15:40:37.216430 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
gth 0
15:40:37.216444 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
], length 0
15:40:37.216446 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
,nop,sackOK], length 0
15:40:37.216432 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:37.216452 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:37.216454 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
15:40:37.484614 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:37.484625 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:37.484627 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
15:40:45.224143 Port7, IN: IP 192.168.100.72.14210 > 170.48.14.103.443: Flags [S
], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], len
gth 0
15:40:45.224157 Port2.1763, OUT: IP 192.168.100.72.14210 > 170.48.14.103.443: Fl
ags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK
], length 0
15:40:45.224159 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14210 > 170.48.14.
103.443: Flags [S], seq 664420678, win 64240, options [mss 1460,nop,wscale 8,nop
,nop,sackOK], length 0
15:40:45.224145 Port7, IN: IP 192.168.100.72.14211 > 170.48.14.103.443: Flags [S
], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:45.224167 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443: Fl
ags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:45.224168 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14211 > 170.48.14.
103.443: Flags [S], seq 1491680496, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
15:40:45.492100 Port7, IN: IP 192.168.100.72.14212 > 170.48.14.103.443: Flags [S
], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], le
ngth 0
15:40:45.492112 Port2.1763, OUT: IP 192.168.100.72.14212 > 170.48.14.103.443: Fl
ags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackO
K], length 0
15:40:45.492113 Port2, OUT: ethertype IPv4, IP 192.168.100.72.14212 > 170.48.14.
103.443: Flags [S], seq 4073603534, win 64240, options [mss 1460,nop,wscale 8,no
p,nop,sackOK], length 0
If you look again into the logs you will not get Port2, IN packet
As per the logs Port 2 is sending request OUT with SYN no three way handshake is getting completed.
You need to allow it from ISP end.
For reference I will share working logs
Request is going out from firewall
00:16:55.762115 PortB, OUT: IP 192.168.183.134.54198 > 170.48.14.103.443: Flags [S], seq 3822245617, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
Reply coming back from ISP
00:16:56.068612 PortB, IN: IP 170.48.14.103.443 > 192.168.183.134.54198: Flags [S.], seq 2029126218, ack 3822245618, win 64240, options [mss 1460], length 0
Three way handshake is getting completed with Syn-Ack
00:16:56.079873 PortB, OUT: IP 192.168.183.134.54198 > 170.48.14.103.443: Flags [.], ack 1, win 29200, length 0
Regards
"Sophos Partner: Networkkings Pvt Ltd".
If a post solves your question please use the 'Verify Answer' button.
Hello,
as Bharat J already wrote, the TCP connection is not established.
There can be various reasons for this:
- Web service on the target server is down (can it be reached from another network or cell phone?)
- you are blacklisted (can it be reached from another network or cell phone?)
- your provider (or country) didn't allow the connection
- you use IP instead of FQDN and server denies an answer
- other technical problems
possible next steps:
do you get an error message? (check logviewer too)
you my try "tcping" tool to check lower layers of TCP-connection (but the missing "SYN ACK" answer this question too)
you my try ssl-labs or testtls to check server reachability
Dirk
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
BUT ...
Why, we see a private IP at the Outbound interface too?
15:40:37.216452 Port2.1763, OUT: IP 192.168.100.72.14211 > 170.48.14.103.443
Is there another device in front of sophos firewall for SNAT/Masquerade the outbound traffic ?
Dirk
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
If you send traffic to the internet while using a private IP, the next router should drop the packets.
Maybe there is no NAT / MASQUERADING rule for this traffic.
Dirk
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.