Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 7640 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any-Any-Any still dropping packets UTM 9.501-5

Jee Phillips

I'm completely mystified. User complains about the login component of this page 

https://www.ticketmaster.ca/member?tm_link=tm_homeA_header_my_account

will not load. Switching networks (e.g. to wireless that does not pass through the UTM) loads fine.

The firewall log shows what is pasted below. I know that 60002 means some kind of outgoing rule is missing, (probably same for that 60003 rule) but even adding an ANY>ANY>ANY rule doesn't eliminate that. Looking through past posts for awhile and disabling pretty much every security feature these is, still, no login box. 

I'm very rusty with this and I'm looking for some help as to what my next step should be here. I just want this website to load, and I suspect that other sites are also affected by this. 

Appreciate any help!

2018:06:17-08:33:41 remote ulogd[4541]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" srcmac="00:01:5c:9b:b6:46" dstmac="00:1a:8c:42:69:55" srcip="185.208.208.77" dstip="174.2.181.145" proto="6" length="40" tos="0x00" prec="0x00" ttl="240" srcport="57934" dstport="35027" tcpflags="SYN" 

2018:06:17-08:34:43 remote ulogd[4541]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" srcmac="00:01:5c:9b:b6:46" dstmac="00:1a:8c:42:69:55" srcip="5.141.82.192" dstip="174.2.181.145" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="61155" dstport="2323" tcpflags="SYN" 

2018:06:17-08:46:17 remote ulogd[4541]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:1a:8c:42:69:55" srcip="184.11.11.178" dstip="218.102.239.14" proto="1" length="68" tos="0x00" prec="0xc0" ttl="64" type="11" code="0" 



This thread was automatically locked due to age.
  • 0

    Do you have an allow-outgoing rule in your firewall ruleset?

    Why are you not using web filtering?  It is UTMs best asset.

  • 0 in reply to DouglasFoster

    I'm just trying to eliminate any potential culprits. I set this thing up over a year ago, and while it took some work (I recall getting the VPN going was a pain) it has mostly been working correctly. It seems like there have been weird little issues off and on ever since the switch to a new ISP (new IP) even though I changed the static in settings. 

     

    I am tempted to revert to factory settings and start from scratch. 

  • 0

    Hi Jee Phillips,

    Please check Intrusion Prevent configuration. This connection is blocked by IPS.

    - XG v17 Technician Certificate -

  • 0

    Hi Jee - first post - welcome to the UTM Community!

    As suggested, check Intrusion Prevention for the real problem (see #1 in Rulz).  In this case, you also should consult the Web Filtering log file.

    None of those log lines appears to have anything to do with ticketmaster.ca.  To better understand what you're seeing in the Firewall log file, check out Packetfilter logfiles on the Sophos UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I appreciate you getting back to me and sorry so long for the reply. I turned IPS off, on the other tabs I unchecked all attack patterns, unchecked Use TCP SYN Flood Protection, Use UDP Flood Protection, and Use ICMP Flood Protection (all 3 unchecked), Portscan Detection is OFF. Nothing in Exceptions or Advanced... but that does not seem to help. I'm also confused since you said none of those log lines has anything to do with ticketmaster.ca

     

    The firewall shows a lot of default drops but they do not seem to line up with the Ticketmaster.ca IP address...so...I'm stumped.

    I am wondering if I am mistaken blaming the UTM 9 box? I can try connecting to this website from any other network on the same computer, same browser and it loads fine. but from behind the firewall I get an endless loading screen. I'll dig through the log files again. I know I am missing something obvious. For now, in case it causes any 'ah-ha!' moments from helpful members of the forum I am posting a 20 second video of the problem below, and then what it looks like when it works (tonight that happens to be from a different computer as I'm not at the problem location to do a perfect demo video...) any idea where I should look for this if the log file does not reflect this issue?

    https://vimeo.com/277577559

     

  • 0 in reply to Huy Vu

    Thanks for your reply I disabled all IPS items but that does not seem to help. :(

  • 0 in reply to Jee Phillips

    About Advanced Threat Protection?

    If possible, can you share your configuation?

    - XG v17 Technician Certificate -

  • 0 in reply to Jee Phillips

    I don't suggest disabling anything in Intrusion Prevention.  I do suggest looking at the Intrusion Prevention log.  As #1 in Rulz says, if you can't find anything in the logs, you have another problem.  Did you also look in the Web Filtering log?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML