Drop packages

Aresh, alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above.

Cheers - Bob

Hi Bob,

Thanks for the reply,

I already check the Firewall log and I have to say I cannot find any extra information, this is the firewall log that corresponding to the live logs,

Also I cannot see that droped packages are udp. or I am looking in the wrong logs?

2017:02:07-14:39:03 securitysrv1-1 ulogd[11961]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="54:e0:XX:XX:76:9a" dstmac="00:1a:XX:f0:XX:a0" srcip="132.XX.XX.2" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="51822" dstport="4012"

Thanks

I will guess that your DNAT violates #4 in Rulz.

Cheers - Bob

The WAN interface has 6 public IP address. this is my DNAT rule, to my opinion this is not in violation with Rule #4. please correct me if I'm wrong.

If the 'Going to' is "External (WAN) (Network)" instead of "(Address)," that could be the problem.  If that is correct, then show a picture of the edit of the "RDP_????" Service.

Cheers - Bob

Look into the RDP Specification. It uses TCP and UDP on 3389 if the server and client is supported.

https://blog.workinghardinit.work/tag/rdp-8-1/

Hi Thomas,

Thank you for the nice artical, it was realy good information, becuase we are going to migrate our Rdgateway to server 2012 R2.

 But our issue is droping UPD packages when accessing an server 2012 directly (on different port number) we dont use Rdgateway to access the server.

Thanks

It dont goes to the External (WAN) (Network) but to IP address

Also as you can see the service does not use any UDP. It looks like that this drop UDP heppens only when we accessing the serve 2012! when we accessing the  server 2008  I can not see any drop UDP from my IP address.

That was the other possibility as UThomas suggested.  Make a new Service with TCP/UDP and you'll be golden.

Cheers - Bob

I will do that and let you know the result.

HI,

I did create a new service object for the port nummer but when try to use it in my nat rule get this error:

 is this means that I should also create a custom service object for "Add The service TO" ?

Any idea?

Both the source Service and the change-to Service must be TCP/UDP.

Cheers - Bob

Both the source Service and the change-to Service must be TCP/UDP.

Cheers - Bob

Hi,

sorry for the delay, finaly I get the chance to run a test,

I did create 2 servicedefinition for a port forwarding to a server 2012 R2 in our network, both service definitions has TCP/UDP.

Now when access the server with RDP we see some changes in the firewall logs, but it looks like that the internal server still droping the UDP packages. I did disable the local Windows Firewall but still the same issue. it look like that Remote desktop on the server dont use UDP.

Any suggestion?

Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those UDP blocks above.

Cheers - Bob

sorry for that,

this is the full FW log:

2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="119" srcport="54085" dstport="4002" tcpflags="SYN"
2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61972" dstport="4002"
2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61972" dstport="3389"
2017:03:28-13:36:34 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61973" dstport="4002"
2017:03:28-13:36:34 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61973" dstport="3389"
2017:03:28-13:36:34 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="116.232.154.173" dstip="62.221.199.196" proto="6" length="44" tos="0x00" prec="0x00" ttl="49" srcport="24828" dstport="23" tcpflags="SYN"
2017:03:28-13:36:35 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61972" dstport="4002"
2017:03:28-13:36:35 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61972" dstport="3389"
2017:03:28-13:36:36 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61973" dstport="4002"
2017:03:28-13:36:36 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61973" dstport="3389"
2017:03:28-13:36:38 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61972" dstport="4002"
2017:03:28-13:36:38 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61972" dstport="3389"
2017:03:28-13:36:39 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61973" dstport="4002"
2017:03:28-13:36:39 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61973" dstport="3389"

None of those lines correspond to the ones in your first post above.  Please show one of the lines from 14:39:00.

Cheers - Bob

In my opinion there is something wrong with the NAT rule. The first two entries look like a correct connection (first tcp, then udp) but these packets are not NATed. The hits on the firewall should point to the internal IP of the server, not the external of the UTM. Those packets that contain the internal IP contain a wrong port.

Anyway, I'm no friend of such RDP 'solutions' via NATing a bunch of ports to the internal LAN.

Over RD Gateway it only needs one port open and a certificate, over VPN is the preferable way to connect to internal resources - in my opinion...

Hi,

I think you are mistaking and looking at the wrong screenshot, the screenshot at the top of the page is from my fist post and is old, it is from the time that I did not still open the udp port.

if you go to the page one at the end of the page you will see my last screenshot and the time is exactly corresponding with the last FW logs.

Thanks

Hi Kevin,

Thanks for the replay,

I am 100% with you regarding the Rdgateway, we have already Rdgateway in place and our new customers using it. but the older users still want to use the RDP with the port nummber dont ask why.

If you look at my first screenshot when the UDP port still was close you can see that the UDP packeges droped, why UDP I have no idea. we see this behavior only with our servers 2012 R2.

So I did setup a test machine, create a new service definition with TCP/UDP and port 4002, then create a one more new service service definition  that also use TCP/UDP for port 3389 and then create the DNAT rule. untill here everything as Sophos suggested.

Why in the log we see that the exteranl IP try to access the internal server directly that is realy streang and I would also like to know why.

Thanks

Ah, I see now, thanks, Aresh.  My guess is that the Host object "-----server" in 'Change the destination to' is not defined correctly. Take a look at #3 in Rulz.  The clue is fwrule="60002" in the log line.

Cheers - Bob

No that is the way it should appear in the Firewall Log. You there should see a connection FROM external IP using Port 4002 TCP / UDP with DESTINATION internal IP. I couldn't quote correctly yesterday as I was writing my iPad and that doesn't seem to like selecting the logs here.

2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="119" srcport="54085" dstport="4002" tcpflags="SYN"

2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61972" dstport="4002"

Hi Guy's,

Thank you for your explanation, I really appreciate it.

Just to be sure that I didn't misconfigured my NAT rule please check my config, the olny thing has been change isthe internal IP of the server. it is now 241.