This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No connection via Secure MQTT to Gruenbeck Cloud on Port 8883

Hello,

since two weeks, I use a Sophos XG as ma Home Router. It work's very good and my internet latency is very low since i switched from my old Asus Router to Sophos XG. I'm very happy to switched to Sophos XG.

But with one device I can not connect to the Internet. It's my Gruenbeck Water softener softliQ SD21. It will connect to the Grünbeck cloud with the Secure MQTT protocol on Port 8883.

I've tried some configurations. I tested different firewall configurations, analyzed them with the Log Viewer and the Diagnostic in the Web UI. The analysis with Wireshark didn't get me any further either. I am at a loss.
Here is my configuration:

Using Sophos XG Home Edition V18 MR3
A firewall rule (#1) only for this device.

2. A linked NAT Rule (#1)

But I I get this result in the log viewer:

In the Wireshark trace you can see a TLS v1.2 Connection with a reply from the Gruebeck cloud, but this will not be forwarded to my device. Why?

Can anyone help me?

Thanks!

This thread was automatically locked due to age.

Top Replies

BerndFeist over 3 years ago +1

Hi, I think you will need a rule that allows traffic from LAN to LAN. Include WiFi as well when it is bridged to LAN. Regards, BF

Parents

0 dirkkotte over 3 years ago

Try to set the search-filter to 8883 and open the "detail view" within log-viewer.

Possible the ssl/TLS-engine or other features block parts of the traffic.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 dirkkotte over 3 years ago

Try to set the search-filter to 8883 and open the "detail view" within log-viewer.

Possible the ssl/TLS-engine or other features block parts of the traffic.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Mephilius over 3 years ago in reply to dirkkotte

This is the detail of the first blocked package when my devie tries to connect:

2020-11-01 10:58:17Firewallmessageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="1" nat_rule_id="1" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="SSL Traffic over Non-SSL Ports" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="13.95.15.251" src_country="NLD" dst_ip="62.226.175.96" dst_country="DEU" protocol="TCP" src_port="8883" dst_port="49928" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP state." appresolvedby="Signature" app_is_cloud="0"

My App Control is set to "Allow All".

When other features blocks, in which log I would see it?
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Mephilius

All i can see is the MQTT answer-packet.

This is dropped because "Invalid TCP state". Looks like the XG can't see the initial TCP-handshaking.

Do you allow logging at the MQTT-Rule?

Do you have more than one way to the internet?

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

0 Mephilius over 3 years ago in reply to dirkkotte

is is a packet capture from today:

2020-11-02 18:04:54	PortA_ppp	IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Violation	INVALID_TRAFFIC	No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:54		IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	1	1	Violation	INVALID_TRAFFIC	No policy	1	No policy	-	3092151168	No category	2974	No gateway	ASSURED	5	No policy	-	No policy	ESTABLISHED
2020-11-02 18:04:54	PortA_ppp	IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Incoming		No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:52	PortA_ppp	IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Violation	INVALID_TRAFFIC	No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:52		IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	1	1	Violation	INVALID_TRAFFIC	No policy	1	No policy	-	3092151168	No category	2974	No gateway	ASSURED	5	No policy	-	No policy	ESTABLISHED
2020-11-02 18:04:52	PortA_ppp	IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Incoming		No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:52	PortA_ppp	IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Violation	INVALID_TRAFFIC	No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:52		IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	1	1	Violation	INVALID_TRAFFIC	No policy	1	No policy	-	3092151168	No category	2974	No gateway	ASSURED	5	No policy	-	No policy	ESTABLISHED
2020-11-02 18:04:52	PortA_ppp	IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Incoming		No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:51	PortA_ppp	IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Violation	INVALID_TRAFFIC	No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE

2020-11-02 18:04:51			IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	1	1	Violation	INVALID_TRAFFIC	No policy	1	No policy	-	3092151168	No category	2974	No gateway	ASSURED	5	No policy	-	No policy	ESTABLISHED
2020-11-02 18:04:51	PortA_ppp		IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Incoming		No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:51		PortA_ppp	IPv4	87.156.246.62	13.95.15.251	TCP	49786,8883	1	1	Generated		No policy	1	No policy	-	3092151168	No category	2974	0x8002	ASSURED	5	No policy	-	No policy	ESTABLISHED
2020-11-02 18:04:51	PortA_ppp		IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Violation	INVALID_TRAFFIC	No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:51			IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	1	1	Violation	INVALID_TRAFFIC	No policy	1	No policy	-	3092151168	No category	2974	No gateway	ASSURED	5	No policy	-	No policy	ESTABLISHED
2020-11-02 18:04:51	PortA_ppp		IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Incoming		No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:51	PortA_ppp		IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Incoming		No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:51	PortA_ppp		IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Incoming		No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:51		PortA_ppp	IPv4	87.156.246.62	13.95.15.251	TCP	49786,8883	1	1	Generated		No policy	1	No policy	-	3092151168	No category	2974	0x8002	ASSURED	5	No policy	-	No policy	ESTABLISHED
2020-11-02 18:04:51		PortB	IPv4	13.95.15.251	192.168.1.20	TCP	8883,49786	1	1	Generated		No policy	1	No policy	-	3092151168	No category	2974	No gateway	ASSURED	5	No policy	-	No policy	ESTABLISHED

2020-11-02 18:04:51		PortB	IPv4	13.95.15.251	192.168.1.20	TCP	8883,49786	1	1	Generated	No policy	1	No policy	-	3092151168	No category	No application	No gateway	ASSURED	No category	No policy	-	No policy	ESTABLISHED
2020-11-02 18:04:51	PortB		IPv4	192.168.1.20	13.95.15.251	TCP	49786,8883	0	0	Incoming	No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:51	PortB	PortA_ppp	IPv4	87.156.246.62	13.95.15.251	TCP	49786,8883	1	1	Forwarded	No policy	1	No policy	-	3092151168	No category	No application	0x8002	ASSURED	No category	No policy	-	No policy	ESTABLISHED
2020-11-02 18:04:51	PortB		IPv4	192.168.1.20	13.95.15.251	TCP	49786,8883	0	0	Incoming	No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:51	PortA_ppp	PortB	IPv4	13.95.15.251	192.168.1.20	TCP	8883,49786	1	1	Forwarded	No policy	1	No policy	-	3092151168	No category	No application	No gateway		No category	No policy	-	No policy	SYN_RECV
2020-11-02 18:04:51	PortA_ppp		IPv4	13.95.15.251	87.156.246.62	TCP	8883,49786	0	0	Incoming	No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE
2020-11-02 18:04:51	PortB	PortA_ppp	IPv4	87.156.246.62	13.95.15.251	TCP	49786,8883	1	1	Forwarded	No policy	1	No policy	-	3092151168	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	SYN_SENT
2020-11-02 18:04:51	PortB		IPv4	192.168.1.20	13.95.15.251	TCP	49786,8883	0	0	Incoming	No policy	No policy	No policy	-	0	No category	No application	No gateway	UNREPLIED	No category	No policy	-	No policy	NONE