Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 1019 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TCP Packets stop returning at Midday

Kosta88

Hello,

I have a really weird problem here that I have very hard time troubleshooting.

We have a security device here that sends packets at port 30003 out to two IP-Adresse each second. It basically sends the status of the device to the security company.

The problem is that at some point, usually only 1-2 seconds after Midday (12:00), the company stops receiving the signal.

I did some network analysis:

I ran the tcpdump on the WAN-Port on the firewall, and could see that the device is sending the packets to two IPs.

Writing it to .pcap file, I found out that the packets turn to red at 12:00, and from normal PSH, ACK, I start getting Transmission Errors, and I see no ACK.

My understanding would be that this means that the remote server is not sending ACK after my firewall has sent the SYN.

I am a very beginner in Wireshark and these things, so bear with me please. I have trouble understand if this is a problem on our side or theirs.

The fact is if I change the WAN-Port (we have two different internet providers) from LTE to DSL, or vice versa, the signal returns to normal.

I'm using Multipath Rules to change the path, that seems to work well. I didn't notice any irregularities on the firewall too. We have IPS and Web-Filtering active, but that shouldn't interfere, or?

I would be very thankful for any idea.

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hallo,

    If this happens with both WAN connections, I can't imagine that the problem isn't your security company.  I think you need to put some pressure on them to fix their problem.

    In the meantime, you can get an instant, automatic changeover between the WAN connections by disabling 'Automatic monitoring' on the 'Uplink Balancing' tab and using Google DNS and your security company IP as 'Monitoring hosts' - pay attention to #3 in Rulz.  You might want to adjust your Multipath rules.

    Please report your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    In the end, we had them come and update the firmware, and change something on the router. Since then, it has been working without a problem, without any change in our system really.

    However, I read your advice about Monitoring, and am trying to grasp it - I am trying to understand how it can be used, especially if combined with the interface. And beside that, what would your configuration do.

    I tried what you suggested though - entered Google DNS and security company IP, and still no change in the path. I also lowered the persistence to 1 minute. It's still going happily over the first interface.

  • 0 in reply to Kosta88

    Let's discuss monitoring on your other thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Unfiltered HTML