Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to SSH to any server. Even FTP/SFTP does not work.

Cyber Army

Hi all,

I've recently installed Sophos utm9 in my home lab, and these are my very first few weeks. 
I have been facing a very strange issue lately.. and hence i need your help with this.

Two days back, i was trying to transfer files from a remote server using sftp connection through filezilla, and the entire file transfer was choppy, the connection would keep disconnecting every few seconds, and then resume transfer, this went on for couple of mins, the connecrtion would terminate and then reconnect again, and transfer would resume, but after few mins, the connection completely got disconnected, and since them i am not able to ssh to that server using putty nor through filezilla (ftp client).

The remote server is online, and i have tried connecting to this server from work (a different location from home), and it works fine from home, i can file transfer without any issues.

Its only here at home where i have sophos installed.

Prior to sohos i was able to file transfer and connect to the server without issues. 

Is there something that is completely blocking the ssh connection to a remote server or even file transfer in the firewall that i need to check or enable or create a rule?



This thread was automatically locked due to age.
  • 0

    To add on to my woes, even speed test is not working any more.

    It shows..

    The speed test starts and the counter goes upto 350 mb/sec, and then gradually starts returning back to zero and subsequently shows this error message.

    • 0 in reply to Cyber Army

      Researched a bit here on the forum, and created a rule, its working now, but i dont like the sound of this rule. Looks like enabling this rule is providing me bare minimum protection.

      Got to Network Protection -> Firewall.

      Network Object "Internal (Network)" into the Source field (drag & drop) and "Any" into Destination.
      Service Definition "Any" into the Service field.

      Although now i can ssh and ftp to a remote site, can i just restrict this to one single ip? Or is there a better alternative and more secure option to this?

      • 0 in reply to Cyber Army

        Update..

        Although I can now connect to the remote server using ssh over putty... i am still unable to download flawlessly over ftp.

        The entire internet on the network disconnects, the connection is intermittent and keeps disconnecting every few seconds, and then reconnects.

        Every equipment over the network disconnects from the internet, and then reconnects, its like the firewall is choking the internet connection.

        • 0 in reply to Cyber Army

          Its pretty depressing with this product and with this forum, no one wants to help a new comer/user.

          i've had some luck with disabling IPS (been reading around with pain, trying to find self solution), and now the connection doesnt fail that often while downloading large files, but still its not stable. The packets/network does dropped and i loose connectivity network-wide and the connection resumes within few seconds. Although while transfering 300GB of data last night, the internet choked, and i had to reboot the firewall server and then connection to internet was restored.

          • 0 in reply to Cyber Army

            Here's the latest update on my issue. I am still struggling with the internet connectivity issue while downloading large files, both over sftp or torrents, or even on IDM. The internet disconnects, throttles, chokes and then i have to reboot the firewall server for the internet to reconnect again.

             

            I have disabled IPS and my utorrent download seems to work for longer durations as compared to the time when utorrent download will choke the sophos firewall and disconnect me completely from the internet. After restarting the sophos server the internet would resume.

            However now after disabling the IPS the internet seems to work for an hour or two while utorrent is downloading.. and an hour or two later the earlier symptoms returns.

            I have used this utorrent guide and also enabled a rule under IPS Exceptions.. see below.

            1. Create the Definition for the computer running uTorrent

            Definition and Users -> Network Definitions -> New Network Definition ->

            Name: uTorrent host (or whatever you want to call your seedbox)
            Type: Host
            Interface: Any
            IPv4 Adress: 192.168.10.100 (or whatverver LAN address your seedbox has)
            Comment: Whatever you want


            2. Create the Service Definition

            Definition and Users -> Service Definitions -> New Service Definition ->

            Name: uTorrent
            Type of Definition: TCP/UDP
            Destination port: 55555 (or whatver port you have set in uTorrent)
            Source port 1:65535
            Comment: Whatever

            3. Create NAT Rule

            Network Security -> NAT -> DNAT/SNAT -> New NAT rule

            Traffic Source: Any
            Traffic Service: uTorrent
            Traffic Destination: External (WAN) Network - (I dont really understand why it shouldn´t be Any to Internal......but it must be External)
            Nat Mode: DNAT
            Destination: uTorrent Host (the host definition created under p. 1 above)
            Destination Service: uTorrent (the service definition created under p. 2 above)
            Automatic Firewall rule: On

            Turn it on, i.e. press the red/green switch

            4. Create the outbound firewall rule

            Firewall -> New Rule

            Source: uTorrent Host
            Service: Any
            Destination: Any

            Turn it on, i.e. press the red/green switch

            This will open all outbound communication from the uTorrent host

            5. Create the inbound firewall rule

            Firewall -> New Rule

            Source: Any
            Service: uTorrent
            Destination: uTorrent Host

             

            I have also enabled the IPS Exception as seen here...

             

            However please note, I've disabled IPS.. I'd like to keep IPS enabled, but without downloading choking and then disconnecting from the internet. Only by disabling the IPS, i am able to download for 1-2 hours before internet again chokes and goes down, thus having me to reboot the firewalls server.

            Here is my Hardware details.

            The time when i see the highest speed at which the downloads occuring, the interface looks like this...

            I hope something is not wrong with my network switch settings.. ? :(

            I've read the rulz page, and got some info from there, and have been scavenging around since then. Looks like none here ever got into this issue.. why is my download choking causing the internet to disconnect and the have to reboot the firewall for the internet to work again? :(

            This behaviour is not only wiht torrents, but even while downloading through a ftp client, while downloading using sftp connection. The session keeps getting terminated intermittently many times, and then finally disconnecting me from the internet, and then having to restart the firewall server for internet to work again.

            Uploading the logs, both live and real time.

            For download links for logs see at the end of this post.


            Live Log: Firewall
            Filter:
            Autoscroll
            Reload
            18:35:31 Default DROP UDP
            192.168.1.110 : 56385

            97.127.86.33 : 123

            len=76 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:32 Default DROP TCP
            192.168.1.100 : 51222

            65.19.129.167 : 232

            [SYN] len=52 ttl=63 tos=0x00 srcmac=00:0e:8f:79:e3:21 dstmac=00:25:90:7c:01:af
            18:35:35 Default DROP TCP
            93.125.74.199 : 54849

            xx.xxx.xx.xx : 61144

            [SYN] len=60 ttl=43 tos=0x10 srcmac=00:01:5c:6a:ac:46 dstmac=00:25:90:7c:01:ae
            18:35:36 Default DROP UDP
            192.168.1.110 : 56385

            216.218.254.202 : 123

            len=76 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:39 Default DROP TCP
            192.168.1.100 : 54013

            64.71.178.199 : 232

            [SYN] len=52 ttl=63 tos=0x00 srcmac=00:0e:8f:79:e3:21 dstmac=00:25:90:7c:01:af
            18:35:39 Default DROP UDP
            192.168.1.116 : 38164

            91.189.91.157 : 123

            len=76 ttl=63 tos=0x10 srcmac=00:0c:29:ab:6a:88 dstmac=00:25:90:7c:01:af
            18:35:41 Default DROP UDP
            192.168.1.110 : 56385

            74.82.59.150 : 123

            len=76 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:42 Default DROP TCP
            192.168.1.100 : 54013

            64.71.178.199 : 232

            [SYN] len=52 ttl=63 tos=0x00 srcmac=00:0e:8f:79:e3:21 dstmac=00:25:90:7c:01:af
            18:35:42 Default DROP TCP
            93.125.74.199 : 54849

            xx.xxx.xx.xx : 61144

            [SYN] len=60 ttl=43 tos=0x10 srcmac=00:01:5c:6a:ac:46 dstmac=00:25:90:7c:01:ae
            18:35:42 Default DROP TCP
            185.33.236.121 : 35495

            xx.xxx.xx.xx : 61144

            [SYN] len=60 ttl=47 tos=0x10 srcmac=00:01:5c:6a:ac:46 dstmac=00:25:90:7c:01:ae
            18:35:46 Default DROP TCP
            185.33.236.121 : 35495

            xx.xxx.xx.xx : 61144

            [SYN] len=60 ttl=47 tos=0x10 srcmac=00:01:5c:6a:ac:46 dstmac=00:25:90:7c:01:ae
            18:35:46 Default DROP UDP
            192.168.1.110 : 56385

            66.7.96.1 : 123

            len=76 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:50 Default DROP TCP
            192.168.1.100 : 54014

            64.71.178.199 : 232

            [SYN] len=52 ttl=63 tos=0x00 srcmac=00:0e:8f:79:e3:21 dstmac=00:25:90:7c:01:af
            18:35:50 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:50 Default DROP UDP
            192.168.1.116 : 48597

            91.189.89.199 : 123

            len=76 ttl=63 tos=0x10 srcmac=00:0c:29:ab:6a:88 dstmac=00:25:90:7c:01:af
            18:35:51 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:52 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:52 Default DROP TCP
            185.33.236.121 : 35495

            xx.xxx.xx.xx : 61144

            [SYN] len=60 ttl=47 tos=0x10 srcmac=00:01:5c:6a:ac:46 dstmac=00:25:90:7c:01:ae
            18:35:52 Default DROP UDP
            192.168.1.110 : 37424

            216.218.254.202 : 123

            len=76 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:52 Default DROP TCP
            192.168.1.100 : 54014

            64.71.178.199 : 232

            [SYN] len=52 ttl=63 tos=0x00 srcmac=00:0e:8f:79:e3:21 dstmac=00:25:90:7c:01:af
            18:35:53 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:53 Default DROP DNS
            14.1.112.12 : 53

            xx.xxx.xx.xx : 59072

            len=73 ttl=113 tos=0x10 srcmac=00:01:5c:6a:ac:46 dstmac=00:25:90:7c:01:ae
            18:35:53 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:54 Default DROP UDP
            192.168.1.110 : 47659

            23.23.78.13 : 33434

            len=187 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:54 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:56 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:57 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:57 Default DROP UDP
            192.168.1.110 : 37424

            204.2.134.162 : 123

            len=76 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:57 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:35:59 Default DROP ICMP
            192.168.1.110

            8.8.8.8

            len=84 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:36:00 Default DROP TCP
            192.168.1.100 : 54016

            64.71.178.199 : 232

            [SYN] len=52 ttl=63 tos=0x00 srcmac=00:0e:8f:79:e3:21 dstmac=00:25:90:7c:01:af
            18:36:00 Default DROP UDP
            192.168.1.116 : 47708

            91.189.89.198 : 123

            len=76 ttl=63 tos=0x10 srcmac=00:0c:29:ab:6a:88 dstmac=00:25:90:7c:01:af
            18:36:02 Default DROP UDP
            192.168.1.110 : 37424

            74.82.59.150 : 123

            len=76 ttl=62 tos=0x00 srcmac=2c:56:dc:57:4e:f0 dstmac=00:25:90:7c:01:af
            18:36:02 Default DROP TCP
            192.168.1.100 : 54016

            64.71.178.199 : 232

            [SYN] len=52 ttl=63 tos=0x00 srcmac=00:0e:8f:79:e3:21 dstmac=00:25:90:7c:01:af
            18:36:04 Default DROP TCP
            185.33.236.121 : 35495

            xx.xxx.xx.xx : 61144

            [SYN] len=60 ttl=47 tos=0x10 srcmac=00:01:5c:6a:ac:46 dstmac=00:25:90:7c:01:ae

             

            Link for the logs.

            https://www.dropbox.com/s/r3njm831wfx5isv/logs.txt?dl=0

            P.S. I have masked my IP address to xx.xxx.xxx.xx

        • 0

          Hi,

          Check #1 in the Rulz by Bob. You might also need to refer Packetfilter logfiles on the UTM.

          You will discover potential blocks in the logs and information about which module is blocking it. Please show us the logs to get an idea about what might be blocking the connections.

          Cheers-

          Sachin Gurung
          Team Lead | Sophos Technical Support
          Knowledge Base  |  @SophosSupport  |  Video tutorials
          Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

          • 0 in reply to sachingurung

            Thanks so much for your replies Sachin,

            Where can i find the packet filter logs? I havent created any packet filter rules tho..

            • 0 in reply to Cyber Army

              Please refer Sophos UTM Logfile information. Information in the packetfilter.log will be useful for detail inspection while troubleshooting.

              Cheers-

              Sachin Gurung
              Team Lead | Sophos Technical Support
              Knowledge Base  |  @SophosSupport  |  Video tutorials
              Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

              • 0 in reply to Cyber Army

                Packetfilter rules = Firewall rules.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to each unique line above.

                You said that you've looked at the Rulz, but I didn't see that you had actually looked at the Intrusion Prevention log.

                Do you have the helpers selected at the top of the 'Advanced' tab of 'Firewall'?

                I assume that you are using Web Filtering in Transparent mode and that none of this traffic passes via that Proxy.

                Cheers - Bob

                 
                Sophos UTM Community Moderator
                Sophos Certified Architect - UTM
                Sophos Certified Engineer - XG
                Gold Solution Partner since 2005
                MediaSoft, Inc. USA
                • 0 in reply to Cyber Army

                  Looking at the log line, those are default drops with fwrule= 60002, it happens when the packet is not destined for the UTM or we can say there is no firewall rule defined to forward the packet. 

                  2017:05:09-00:00:01 sophos ulogd[6252]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:0e:8f:79:e3:21" dstmac="00:25:90:7c:01:af" srcip="192.168.1.100" dstip="96.44.129.13" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="60141" dstport="232" tcpflags="SYN"

                  Considering the fact that the destination IP address is a public IP, I suspect the issue is a missing/misconfigured masquerading rule defined in the UTM. Also, a firewall rule to forward 192.168.1.0 network through the UTM is absent or misconfigured.

                  Thank You

                  Sachin Gurung
                  Team Lead | Sophos Technical Support
                  Knowledge Base  |  @SophosSupport  |  Video tutorials
                  Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

                  • 0 in reply to Cyber Army

                    You're new here, so you're not used to this editor.  You could have used Insert to add the file to your post.  We can't know if an external link is properly protected. The only malware I've gotten in over 10 years was from an external link to a picture in this forum several years ago.

                    I haven't looked at your file, but the fact that it's a zip indicates that you've uploaded the entire log file.  Outside of Sachin, everyone else at Sophos is here on their own time just like those of us that don't work for Sophos.  People that help others here won't take the time to dig through a long file to find things.

                    Cheers - Bob

                     
                    Sophos UTM Community Moderator
                    Sophos Certified Architect - UTM
                    Sophos Certified Engineer - XG
                    Gold Solution Partner since 2005
                    MediaSoft, Inc. USA
                    • 0 in reply to BAlfson

                      I am sorry about my previous ignorance Bob. I will make sure i will follow proper guidelines and rules of the forum.

                      I have uploaded the log file using the Insert > upload file. However it still is the log file as it directly ported from the server and truncated to 500kb file size, I have just edited out my IP address with xxx.

                       

                      packetfilter.log

                      I have reviewed Sachin's post above, I just do not know how to interpret it and add the settings to my firewall. Few simple steps will help if its not too much of a hassle please. 

                      • 0 in reply to sachingurung

                        Currently I have just masquerading rule.

                        Is this something i need to fix? Also do i need to add another rule?

                        My computer's local ip address is 192.168.1.103 (is a part of the local domain)

                        Default gateway is 192.168.1.99 (this is the firewall)

                        DNS/DHCP server is 192.168.1.10

                        Currently I just have 1 vlan setup on a 48 port cisco switch.

                        • 0 in reply to Cyber Army

                          No apology necessary - I was just trying to help you get the most out of this place!

                          I would have your internal users get NTP (UDP 123) from your DHCP server and set it to get NTP from the UTM.  You also need to allow your server in 'Network Services >> NTP'.  At present you have no firewall rule like '{192.168.1.100} -> NTP -> Internet : Allow', so those packets are being dropped.  You won't need that rule if you have the server get time from the UTM.

                          Similarly, there is no firewall rule allowing TCP 232 to the Internet, so those packets are also being dropped out of the FORWARD chain (fwrule="60002").  This is the same for SSH on the Internet.

                          I see a drop out of the INPUT chain ("60001") for someone from the Ukraine (37.229.167.134) trying to telnet into your UTM.  Unless you're in the same country, this is likely a branch of the Russian mafia, so you probably don't want to allow that traffic!

                          In general, I don't log successful outbound traffic, but I do like to start a new setup with two logged allow rules after the explicit 'Internal (Network) -> {Service} -> Internet' rules:

                          Internal (Network) -> {1:65535->1:1023} -> Internet : Allow
                          Internal (Network) -> {1:65535->1024:65535} -> Internet : Allow

                          After a month, I look back through the list of Services recorded in the logs and add new rules before these rules.  That's usually long enough to turn those rules off and wait for complaints. [;)]

                          Cheers - Bob

                           
                          Sophos UTM Community Moderator
                          Sophos Certified Architect - UTM
                          Sophos Certified Engineer - XG
                          Gold Solution Partner since 2005
                          MediaSoft, Inc. USA
                          • 0 in reply to BAlfson

                            THe issue is resolved.  helped a lot.

                            His due diligence in figuring out the issue was immaculate.

                            My firewall Intel NIC card was causing this disturbance. While scanning through the internet, I see that Intel NIC cards have issues with Linux distro drivers.

                            After replacing the NIC card, the issue vanished.

                            Thanks Sachin.

                            Thanks  for standing by and giving me all sorts of wonderful tips that i have now inculcated in my regular firewall ref-check schedule.