This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange behaviour in SSL VPN , Firewall traffic "fwrule=60001"

Hi Community,

i'm facing a strange problem in a sophos from one of our customers. The SSL VPN Has beenstruggeling with long first loading times in the browser, for example we go to google.com, takes about 40 seconds to load, so i thougth it was a dns problem, however me and the sophos support tried every possible dns things, to no avail. THen we were looking at the firewall logs and we saw that the traffic from the ssl vpn was being dropped to the sophos (which is acting as a proxy on port 8080) ? , but then the next strange thing is that after some time it starts workign yet the traffic to port 8080 is being dropped. I'm now wondering what is happening here.

Here is the firewall log

10.119.1.3 is the sophos UTM 9.716, and my test client is running the latest sophos connect client using the ssl vpn, its the ip 10.117.4.2 currently trying to access google.de

action="drop" fwrule="60001" initf="tun0" srcip="10.117.4.2" dstip="10.119.1.3" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="60627" dstport="8080" tcpflags="SYN"

 I've read that it could be due to masqerading?

Oh and for some reason the ssl vpn pool also isnt part of the deafult web filter profile but yet it's working?

Greetings 

George



This thread was automatically locked due to age.
Parents Reply
  • Update:

    i have now added the network now the traffic to 8080 is no longer being dropped however now it's dropping the port 80 reqeuests.

    After some research i've discovered that it's the default port for AD SSO authentication since it's being used for the proxy auth.

    2023:08:07-11:34:06 anfw01-1 ulogd[3222]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="tun0" srcip="10.117.4.4" dstip="10.119.1.3" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="28242" dstport="80" tcpflags="SYN" 

    I've also read that AD SSO is only available for transparent ?

Children