Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 1693 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 dropping HTTP traffic with error 60001

JoshSelatan

Hey there,

 

At present I've got an issue with HTTP traffic being dropped by the firewall with 60001..

Model: SG430

Firmware version: 9.508-10

 

I've been through the forums and most of the issues that come up seem to refer back to a NAT config.. which we're not currently using..

This issue appeared to arise yesterday, and as far as I'm aware no changes were made.. 

There is an explicit rule in the firewall to allow Any traffic between these subnets..

This is the live log showing other ports getting through..

 

 

Here's the log as an example of the drops,

 

/var/log/packetfilter.log:2020:03:26-18:48:05 109ut320 ulogd[25136]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3000000001" initf="eth1" outitf="eth3" srcmac="e4:8d:8c:1e:93:a8" dstmac="00:1a:8c:6c:32:44" srcip="10.100.97.2" dstip="10.97.0.19" proto="6" length="50" tos="0x00" prec="0x00" ttl="126" srcport="57760" dstport="20000" tcpflags="ACK PSH"

/var/log/packetfilter.log:2020:03:26-18:48:19 109ut320 ulogd[25136]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="e4:8d:8c:1e:93:a8" dstmac="00:1a:8c:6c:32:44" srcip="10.100.97.2" dstip="10.97.0.1" proto="6" length="52" tos="0x02" prec="0x00" ttl="127" srcport="52596" dstport="80" tcpflags="SYN"

/var/log/packetfilter.log:2020:03:26-18:48:22 109ut320 ulogd[25136]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="e4:8d:8c:1e:93:a8" dstmac="00:1a:8c:6c:32:44" srcip="10.100.97.2" dstip="10.97.0.1" proto="6" length="52" tos="0x02" prec="0x00" ttl="127" srcport="52596" dstport="80" tcpflags="SYN"

/var/log/packetfilter.log:2020:03:26-18:48:28 109ut320 ulogd[25136]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3000000001" initf="eth1" outitf="eth3" srcmac="e4:8d:8c:1e:93:a8" dstmac="00:1a:8c:6c:32:44" srcip="10.100.97.12" dstip="10.97.0.18" proto="1" length="48" tos="0x00" prec="0x00" ttl="62" type="8" code="0"

/var/log/packetfilter.log:2020:03:26-18:48:29 109ut320 ulogd[25136]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="e4:8d:8c:1e:93:a8" dstmac="00:1a:8c:6c:32:44" srcip="10.100.97.2" dstip="10.97.0.1" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="52596" dstport="80" tcpflags="SYN"

 

 

Any help would be greatly appreciated. 

 

thanks

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Josh and welcome to the UTM Community!

    You haven't told us, but I assume that 10.97.0.1 is the IP of an internal Interface.  What is the subnet on that interface - does it include 10.100.97.2 or is that IP in a subnet on a different interface?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hey Bob,

     

    Thanks for having me! I've just come into my role and it's my first time round with Sophos.. these forums have been invaluable in learning about the systems.. though this one is a really dilly of a pickle..

     

    To answer your question.. correct, 10.97.0.1/29 is eth3 on the device.

     

    4: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:1a:8c:6c:32:46 brd ff:ff:ff:ff:ff:ff
    inet 10.97.0.1/29 brd 10.97.0.7 scope global eth3
    valid_lft forever preferred_lft forever

     

    10.100.97.2 is on a separate device at another site, which also passes through a Sophos UTM..

    The first firewall however is passing the traffic..

    08:52:38 Auto-generated rule #17 TCP  
    10.100.97.2 : 49223
    10.97.0.1 : 80
    		 
    [SYN] len=52 ttl=127 tos=0x02 srcmac=00:50:56:ab:18:80 dstmac=00:1a:8c:6c:13:c2
    08:52:41 Auto-generated rule #17 TCP  
    10.100.97.2 : 49223
    10.97.0.1 : 80
    		 
    [SYN] len=52 ttl=127 tos=0x02 srcmac=00:50:56:ab:18:80 dstmac=00:1a:8c:6c:13:c2

     

    Only to be dropped on the second..

    08:52:39 Default DROP TCP  
    10.100.97.2 : 49223
    10.97.0.1 : 80
    		 
    [SYN] len=52 ttl=127 tos=0x02 srcmac=e4:8d:8c:1e:93:a8 dstmac=00:1a:8c:6c:32:44
    08:52:42 Default DROP TCP  
    10.100.97.2 : 49223
    10.97.0.1 : 80
    		 
    [SYN] len=52 ttl=127 tos=0x02 srcmac=e4:8d:8c:1e:93:a8 dstmac=00:1a:8c:6c:32:44

     

    I can ping and trace to 10.97.0.1 and see that .. it's just web traffic that seems to be blocked..

     

    thanks again for your help..

  • +1 in reply to JoshSelatan

    If 10.97.0.1 is the interface IP of ETH3 ... what do you try to reach at these address with port 80?

    Do you configure some kind of NAT or WebserverProtection (WAF) at 10.97.0.1:80 ?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Yep.. bang on.. 

     

    Too much time spent on making sure all the work from home is working and expecting complex problems.. when really, it's right in front of your eyes..

     

    User error - they were going to the wrong IP..

    Admin error - didn't pick up the obvious straight away.. its an IP on the firewall.. 

     

    Still, it's not all a waste.. I've learned a lot more about the Sophos network trying to troubleshoot a non-existent problem..

     

    thanks for your assistance.. 

Reply
  • 0 in reply to dirkkotte

    Yep.. bang on.. 

     

    Too much time spent on making sure all the work from home is working and expecting complex problems.. when really, it's right in front of your eyes..

     

    User error - they were going to the wrong IP..

    Admin error - didn't pick up the obvious straight away.. its an IP on the firewall.. 

     

    Still, it's not all a waste.. I've learned a lot more about the Sophos network trying to troubleshoot a non-existent problem..

     

    thanks for your assistance.. 

Children
No Data
Unfiltered HTML