since two weeks, I use a Sophos XG as ma Home Router. It work's very good and my internet latency is very low since i switched from my old Asus Router to Sophos XG. I'm very happy to switched to Sophos XG.
But with one device I can not connect to the Internet. It's my Gruenbeck Water softener softliQ SD21. It will connect to the Grünbeck cloud with the Secure MQTT protocol on Port 8883.
I've tried some configurations. I tested different firewall configurations, analyzed them with the Log Viewer and the Diagnostic in the Web UI. The analysis with Wireshark didn't get me any further either. I am at a loss.Here is my configuration:
2. A linked NAT Rule (#1)
But I I get this result in the log viewer:
In the Wireshark trace you can see a TLS v1.2 Connection with a reply from the Gruebeck cloud, but this will not be forwarded to my device. Why?
Can anyone help me?
Hi, I think you will need a rule that allows traffic from LAN to LAN. Include WiFi as well when it is bridged to LAN.Regards,BF
you don't need a linked NAT rule for outgoing traffic.. A general purpose MASQ rule is all that you need.
Then try modifying your rule so that the services is set to any and review the logviewer to see what other ports are being used if any. Ten modify your firewall rule to incorporate any new ports.
Try to set the search-filter to 8883 and open the "detail view" within log-viewer.
Possible the ssl/TLS-engine or other features block parts of the traffic.
Sophos Partner since 2003If a post solves your question click the 'Verify Answer' link.
This is the detail of the first blocked package when my devie tries to connect:2020-11-01 10:58:17Firewallmessageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="1" nat_rule_id="1" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="SSL Traffic over Non-SSL Ports" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="18.104.22.168" src_country="NLD" dst_ip="22.214.171.124" dst_country="DEU" protocol="TCP" src_port="8883" dst_port="49928" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP state." appresolvedby="Signature" app_is_cloud="0"My App Control is set to "Allow All".
When other features blocks, in which log I would see it?
All i can see is the MQTT answer-packet.
This is dropped because "Invalid TCP state". Looks like the XG can't see the initial TCP-handshaking.
Do you allow logging at the MQTT-Rule?
Do you have more than one way to the internet?
Hi, why from LAN to LAN?my connection is from LAN to WAN and in my Wireshark trace I can see the TLSv1.2 reply from cloud to my WAN port. But then it ends.
is is a packet capture from today:
What you could try is to disable the Appication classification and ATP for the rule in Question.
To do that, log in using the CLI go to option 4 and typ:
set ips ac_atp exception fwrules X (the X is the firewall rule ID)
And then try again.
Thank you for your tipp but i does not work on my case :(Same as before....
Back to very basic firewall rue.
Create a firewall at the top of your rule list
Source LAN, network your device, destination wan, network any, service any and log.
Then try connecting to the the cloud server and review the logviewer based on your firewall id.