This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Cluster SG210 - NAT Regel funktioniert nicht mehr

Hallo,

Firmwareversion: 9.707-5

wir haben 2 Sophos SG210 im Einsatz und seit einiger Zeit habe ich festgestellt, dass mindestens eine NAT Regel nicht mehr funktioniert und zwar die Regel lautet so:

Any

TCP Port 2083 - Zielport 2083 - Quellport 1:65535

WAN Adresse

Server

TCP Port 2083 - Zielport 2083 - Quellport 1:65535

Automatische Firewallregel ist aktiv.

Ich habe die Regel sogar manuell angelegt aber hat auch nichts gebracht.

Der Log Protokoll sagt folgendes:

14:45:14 Standard-VERWERFEN TCP  
95.130.160.139 : 17681
213.95.82.36 : 2083
 
[ACK RST] len=52 ttl=56 tos=0x00 srcmac=78:19:f7:40:af:f0 dstmac=00:1a:8c:f0:bf:c1

IPS habe ich auch ausgeschalten, hat aber auch nichts gebracht.

Ich komme einfach nicht weiter.

Hat jemand eine Idee ?

Wäre dankbar

Danke im Voraus.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    I would suggest taking a packet flow and packetfilter.log events when the issue persists.

    Login to SSH | How to access the UTM shell via SSH​​

    ==> To check packet flow:

    utm:/root # tcpdump -nei any port 2083

    ==> To filter out packetfilter.log events with port 2083

    utm:/root # zgrep '2083' /var/log/packetfilter/2021/08/* |grep drop | tail -20

  • I have analyzed the situation deeper and I think I know where the problem is, we are using Extremecloud IQ with port forwarding, and the port 2083 is using by radius, but in order to keep the session alive the firewall needs to establish a connection first over port UDP 12222 with the server because on the server is the information for radius being stocked. I think the initial problem is with the port UDP 12222. The log says following:

    /var/log/packetfilter/2021/08/packetfilter-2021-08-13.log.gz:2021:08:13-11:22:33 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcmac="78:19:f7:40:e7:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="91.67.159.17" dstip="192.168.76.78" proto="17" length="125" tos="0x00" prec="0x00" ttl="54" srcport="60517" dstport="12                         222"

    /var/log/packetfilter/2021/08/packetfilter-2021-08-13.log.gz:2021:08:13-11:22:33 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcmac="78:19:f7:40:e7:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="91.67.159.17" dstip="192.168.76.78" proto="17" length="125" tos="0x00" prec="0x00" ttl="54" srcport="55154" dstport="12                         222"

    /var/log/packetfilter/2021/08/packetfilter-2021-08-13.log.gz:2021:08:13-11:22:48 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="78:19:f7:40:e7:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="91.67.159.17" dstip="213.95.82.36" proto="17" length="238" tos="0x00" prec="0x00" ttl="55" srcport="34758" dstport="12222"

    /var/log/packetfilter/2021/08/packetfilter-2021-08-15.log.gz:2021:08:15-02:33:11 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="78:19:f7:40:e7:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="143.198.139.42" dstip="213.95.82.36" proto="6" length="40" tos="0x00" prec="0x00" ttl="240" srcport="33574" dstport="12222" tcpflags=                         "SYN"

    /var/log/packetfilter/2021/08/packetfilter-2021-08-15.log.gz:2021:08:15-16:06:17 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="78:19:f7:40:af:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="167.248.133.85" dstip="213.95.82.36" proto="6" length="44" tos="0x00" prec="0x00" ttl="38" srcport="42898" dstport="12222" tcpflags="                         SYN"

Reply
  • I have analyzed the situation deeper and I think I know where the problem is, we are using Extremecloud IQ with port forwarding, and the port 2083 is using by radius, but in order to keep the session alive the firewall needs to establish a connection first over port UDP 12222 with the server because on the server is the information for radius being stocked. I think the initial problem is with the port UDP 12222. The log says following:

    /var/log/packetfilter/2021/08/packetfilter-2021-08-13.log.gz:2021:08:13-11:22:33 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcmac="78:19:f7:40:e7:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="91.67.159.17" dstip="192.168.76.78" proto="17" length="125" tos="0x00" prec="0x00" ttl="54" srcport="60517" dstport="12                         222"

    /var/log/packetfilter/2021/08/packetfilter-2021-08-13.log.gz:2021:08:13-11:22:33 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcmac="78:19:f7:40:e7:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="91.67.159.17" dstip="192.168.76.78" proto="17" length="125" tos="0x00" prec="0x00" ttl="54" srcport="55154" dstport="12                         222"

    /var/log/packetfilter/2021/08/packetfilter-2021-08-13.log.gz:2021:08:13-11:22:48 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="78:19:f7:40:e7:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="91.67.159.17" dstip="213.95.82.36" proto="17" length="238" tos="0x00" prec="0x00" ttl="55" srcport="34758" dstport="12222"

    /var/log/packetfilter/2021/08/packetfilter-2021-08-15.log.gz:2021:08:15-02:33:11 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="78:19:f7:40:e7:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="143.198.139.42" dstip="213.95.82.36" proto="6" length="40" tos="0x00" prec="0x00" ttl="240" srcport="33574" dstport="12222" tcpflags=                         "SYN"

    /var/log/packetfilter/2021/08/packetfilter-2021-08-15.log.gz:2021:08:15-16:06:17 security-1 ulogd[7707]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="78:19:f7:40:af:f0" dstmac="00:1a:8c:f0:bf:c1" srcip="167.248.133.85" dstip="213.95.82.36" proto="6" length="44" tos="0x00" prec="0x00" ttl="38" srcport="42898" dstport="12222" tcpflags="                         SYN"

Children
No Data