This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection Problem with pop3s or imaps

Hi @all,

i have some trouble with connection from internal server (ubuntu) over our Sophos Firwall to an external MSX. The MSX has 3 availble IP and connections are over one DNS Name of the MSX.

The TCP dump on Sophos shows this:

14:20:01.924040 IP internal_Srv.48336 > MSX_IP2.pop3s: Flags [S], seq 3757526706, win 29200, options [mss 1460,sackOK,TS val 40464913 ecr 0,nop,wscale 7], length 0
14:20:02.920623 IP internal_Srv.48336 > MSX_IP2.pop3s: Flags [S], seq 3757526706, win 29200, options [mss 1460,sackOK,TS val 40465163 ecr 0,nop,wscale 7], length 0
14:20:04.924565 IP internal_Srv.48336 > MSX_IP2.pop3s: Flags [S], seq 3757526706, win 29200, options [mss 1460,sackOK,TS val 40465664 ecr 0,nop,wscale 7], length 0
14:20:08.932613 IP internal_Srv.48336 > MSX_IP2.pop3s: Flags [S], seq 3757526706, win 29200, options [mss 1460,sackOK,TS val 40466666 ecr 0,nop,wscale 7], length 0
14:20:11.324954 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [S], seq 2667523278, win 29200, options [mss 1460,sackOK,TS val 40467264 ecr 0,nop,wscale 7], length 0
14:20:11.328744 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [S.], seq 3722905482, ack 2667523279, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:20:11.329134 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [.], ack 1, win 229, length 0
14:20:11.329548 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 1:266, ack 1, win 229, length 265
14:20:11.334026 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [.], seq 1:1461, ack 266, win 65534, length 1460
14:20:11.334296 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [.], seq 1461:2921, ack 266, win 65534, length 1460
14:20:11.334321 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 2921:3311, ack 266, win 65534, length 390
14:20:11.334417 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [.], ack 1461, win 251, length 0
14:20:11.334556 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [.], ack 2921, win 274, length 0
14:20:11.334594 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [.], ack 3311, win 297, length 0
14:20:11.342554 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 266:424, ack 3311, win 297, length 158
14:20:11.346380 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 3311:3362, ack 424, win 65533, length 51
14:20:11.384540 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [.], ack 3362, win 297, length 0
14:20:11.387304 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 3362:3442, ack 424, win 65533, length 80
14:20:11.387632 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [.], ack 3442, win 297, length 0
14:20:11.387784 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 424:459, ack 3442, win 297, length 35
14:20:11.390333 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 3442:3508, ack 459, win 65533, length 66
14:20:11.396029 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 459:500, ack 3508, win 297, length 41
14:20:11.398523 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 3508:3541, ack 500, win 65533, length 33
14:20:11.398813 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 500:563, ack 3541, win 297, length 63
14:20:11.411319 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [.], ack 563, win 65533, length 0
14:20:11.566965 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 3541:3608, ack 563, win 65533, length 67
14:20:11.567492 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 563:598, ack 3608, win 297, length 35
14:20:11.570713 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 3608:3705, ack 598, win 65533, length 97
14:20:11.571129 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 598:633, ack 3705, win 297, length 35
14:20:11.575140 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 3705:3743, ack 633, win 65533, length 38
14:20:11.575630 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 633:668, ack 3743, win 297, length 35
14:20:11.578850 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 3743:3784, ack 668, win 65533, length 41
14:20:11.594602 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 668:703, ack 3784, win 297, length 35
14:20:11.597839 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [P.], seq 3784:3874, ack 703, win 65532, length 90
14:20:11.598232 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [P.], seq 703:734, ack 3874, win 297, length 31
14:20:11.598233 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [F.], seq 734, ack 3874, win 297, length 0
14:20:11.598315 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [F.], seq 3874, ack 703, win 65532, length 0
14:20:11.598587 IP internal_Srv.43126 > MSX_IP1.pop3s: Flags [.], ack 3875, win 297, length 0
14:20:11.600761 IP MSX_IP1.pop3s > internal_Srv.43126: Flags [R.], seq 3875, ack 734, win 0, length 0
14:20:16.956487 IP internal_Srv.48336 > MSX_IP2.pop3s: Flags [S], seq 3757526706, win 29200, options [mss 1460,sackOK,TS val 40468672 ecr 0,nop,wscale 7], length 0

Same time on Sophos Firewall Log:

after some failed and retreis i get the connection and also the data.

Is that something what i can do on my site or is that mybe a problem on MSX?

The MSx is located on AWS and i have no access to the server only get and send mails.

Thank you very much for helping

wrbrgds

TBC



This thread was automatically locked due to age.
  • Hallo,

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you Bob,

    here are the Logs:

    2020:09:21-14:20:02 fw-trzisp-02-1 ulogd[673]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:08:e3:ff:fd:90" dstmac="00:1a:8c:f0:49:e0" srcip="internal_Srv" dstip="MSX_IP1" proto="6" length="60" tos="0x00" prec="0x00" ttl="62" srcport="48336" dstport="995" t
    2020:09:21-14:20:02 fw-trzisp-02-1 ulogd[673]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:08:e3:ff:fd:90" dstmac="00:1a:8c:f0:49:e0" srcip="internal_Srv" dstip="MSX_IP1" proto="6" length="60" tos="0x00" prec="0x00" ttl="62" srcport="48336" dstport="995" ttcpflags="SYN" 
    2020:09:21-14:20:04 fw-trzisp-02-1 ulogd[673]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:08:e3:ff:fd:90" dstmac="00:1a:8c:f0:49:e0" srcip="internal_Srv" dstip="MSX_IP1" proto="6" length="60" tos="0x00" prec="0x00" ttl="62" srcport="48336" dstport="995" t
    2020:09:21-14:20:09 fw-trzisp-02-1 ulogd[673]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:08:e3:ff:fd:90" dstmac="00:1a:8c:f0:49:e0" srcip="internal_Srv" dstip="MSX_IP1" proto="6" length="60" tos="0x00" prec="0x00" ttl="62" srcport="48336" dstport="995" t
    2020:09:21-14:20:17 fw-trzisp-02-1 ulogd[673]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:08:e3:ff:fd:90" dstmac="00:1a:8c:f0:49:e0" srcip="internal_Srv" dstip="MSX_IP1" proto="6" length="60" tos="0x00" prec="0x00" ttl="62" srcport="48336" dstport="995" 
    2020:09:21-14:20:33 fw-trzisp-02-1 ulogd[673]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:08:e3:ff:fd:90" dstmac="00:1a:8c:f0:49:e0" srcip="internal_Srv" dstip="MSX_IP1" proto="6" length="60" tos="0x00" prec="0x00" ttl="62" srcport="48336" dstport="995"  tcpflags="SYN" 
    2020:09:21-14:21:06 fw-trzisp-02-1 ulogd[673]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="00:08:e3:ff:fd:90" dstmac="00:1a:8c:f0:49:e0" srcip="internal_Srv" dstip="MSX_IP1" proto="6" length="60" tos="0x00" prec="0x00" ttl="62" srcport="48336" dstport="995"  tcpflags="SYN" 
    

    I forgot to tell, the traffic goes over a NAT Rule

    Thank's for helping

    TBC

  • "60002" means the drop is out of the FORWARD chain. Is BKU-MSX-AWS bound to a specific interface?  What does "internal_Srv" represent?  What about the object in the 'Quelluebersetzing'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Salue Bob.

    yes BKU is bound to a special Interface to a different location.

    "Internal_Srv" and "subu" on Quellübersetzung and beginning of Verkehrsbeziehung are the same system, but on Quellübersetzung it has that NAT Adr. witch is also looking on BKU INterface.

    That system tries to reach Mails from MSX locating on System on BKU MSX Site.

    BKU-MSX Service a group with IMAP and Pop3 Services.

    here are some screens:

    Many thanks for helping

    R.

  • Without going into the weeds, selecting 'Automatic firewall rule' won't work since the Host objects are bound to interfaces.  I've rarely seen a reason to bind a Host object to a specific interface, so my first thought would be to set 'Schnittstelle: Any' for those Host objects.  Did that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That*s first time i here that and the same rule with differnt destination address are working perfekt and also all other NAT rules with bound interfaces are working on same way.
    But I have change it now to any and will see whats happend.

    Pls. give me some time to check!

    Many thanks bob!

  • Bob,

    i have find out what the probl. is.

    They told me to using a dns name for the msx server, the dns is resolved to a nother dns because that one is located in the aws.

    the second dns hat resolved to 3 dif. IP's.

    But only one of them are resonondig :-)))

    I have change my application to using the IP and i have no more problem!

    many thank to you for helping!

    have a nice weekend

  • Good news!

    I wonder if using a DNS-Gruppe instead of a DNS-Host would also work.

    Can you confirm that this works when leaving the objects bound to an interface?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes Bob, most of my objects are bound to a interface and all of my NAT Objects are also bound to a interface.

    If someone using a DNS Name for more than one IP Adr. the Client and also i think the UTM looks which IP is available. So in my case if the 2 are IP how are not working correct are on the first pos. I get a timeout for my imap req. the last on ip, how is working, give the answer of the imap or pop3 request.

    have a nice Weekend

    TBC

  • You're confounding "Availability" Groups with DNS Groups.  DNS Groups get the IPs of all of the A-records for an FQDN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA