I'm having an issue with one user attempting to stream content from a Plex media server. Other external clients can access this host fine and are using the same ports, etc. This is affecting multiple devices on this clients network (2x roku's and a PC) however doesn't affect this client when they are outside this one particular network. This just started happening about 2 weeks ago, before that, all was well for this user.
Everything is pointing to his network/ISP doing something (or not doing something) however I want to confirm I'm not missing anything at the UTM.
I've reviewed rule #1 and I only see firewall traffic from this host saying NAT rule #3 is being obeyed which is consistent with what I would expect as that is the NAT rule that forwards traffic to the internal Plex server.
I ran a packet capture on the Plex server, one from a known good client and one from the affected client. In the affected client's pcap I see retransmissions and not really anything else.
##.##.1.58 = Plex internal IP
##.##.80.19 = Affected client
##.##.20.32 = Working client
Image attached for failing Plex connection (not-working-client.jpg)
Image attached for working Plex connection (working-client.jpg)
Unfortunately this user is remote and not technical so reviewing logs on that side is almost not possible.
From the Plex server logs, it looks like the client never establishes the connection (nothing logged).
One odd (not really) thing is that my public IP address ends in .255 which is normally reserved for broadcast in a /24 network but my ISP is using a /20 network so its a valid address. Could this be causing issues?
What am I missing? Could the UTM be causing the retransmissions or is this squarely on the remote side?
Cheers - Bob PS Honestly, I didn't look at those externally-hosted images. Please [Edit] that post, delete your external links, click on [Go Advanced] and attach your images to the post. We can't know if that external site is properly protected. The only malware I've gotten in over 10 years was from an external link to a picture in this forum several years ago.
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Cheers - Bob
PS Honestly, I didn't look at those externally-hosted images. Please [Edit] that post, delete your external links, click on [Go Advanced] and attach your images to the post. We can't know if that external site is properly protected. The only malware I've gotten in over 10 years was from an external link to a picture in this forum several years ago.
Thanks Bob. I've edited the original post with the attached images.
While I agree, I also really know nothing about packet captures or the network layer so I am really hoping for another set of eyes.
From you, it died at:
173-219-253-65.suddenlink.net (173.219.253.65)
From CentralOps, it died at a spot that didn't even appear the other traceroute:
173.219.221.99 173-219-221-99.suddenlink.net
If the client's IP is inside the SuddenLink network, it would appear that SuddenLink has an issue.
Cheers - Bob
So I did a little more troubleshooting.
I put an old Linksys router in place of my UTM and access was restored to the client. Two things changed.
1) My IP address changed when I swapped out the new router.
2) No more Sophos
It appears something is going on either with how Sophos UTM is responding OR how the client, sophos or both are dealing with my IP that is ending in 255.
My ISP says the IP is dynamic and can't be "changed". I've attempted to renew the IP via Sophos and also attempted to power and unplug the cabled modem down with the hopes it pulls a new IP. No luck.
The other side is that Sophos is doing something wrong and either, I can't find the right log, its not logging it, or its a bug. I've reverted the configs back to a known working date, no change in behavior. The only thing I haven't done is rebuild an older firmware version and see if that fixes it.
I put an old Linksys router in place of my UTM and access was restored to the client. Two things changed.
1) My IP address changed when I swapped out the new router.
2) No more Sophos
It appears something is going on either with how Sophos UTM is responding OR how the client, sophos or both are dealing with my IP that is ending in 255.
My ISP says the IP is dynamic and can't be "changed". I've attempted to renew the IP via Sophos and also attempted to power and unplug the cabled modem down with the hopes it pulls a new IP. No luck.
The other side is that Sophos is doing something wrong and either, I can't find the right log, its not logging it, or its a bug. I've reverted the configs back to a known working date, no change in behavior. The only thing I haven't done is rebuild an older firmware version and see if that fixes it.
Any thoughts?
Well I used the "virtual MAC address" feature and changed my device hardware address to force a new IP. ISSUE GONE!
Apparently something on either of our ends or a router in between that couldn't deal with the .255/20 IP address and was failing to make a connection. Once the IP changed to something other than .255, everything works as expected.
Thank you for confirming that here. If you have a paid subscription, please have a ticket submitted to Support so they learn of this "unintended feature."
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Quote