This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No connection via Secure MQTT to Gruenbeck Cloud on Port 8883

Hello,

since two weeks, I use a Sophos XG as ma Home Router. It work's very good and my internet latency is very low since i switched from my old Asus Router to Sophos XG. I'm very happy to switched to Sophos XG.

But with one device I can not connect to the Internet. It's my Gruenbeck Water softener softliQ SD21. It will connect to the Grünbeck cloud with the Secure MQTT protocol on Port 8883.

I've tried some configurations. I tested different firewall configurations, analyzed them with the Log Viewer and the Diagnostic in the Web UI. The analysis with Wireshark didn't get me any further either. I am at a loss.
Here is my configuration:

  1. Using Sophos XG Home Edition V18 MR3
  2. A firewall rule (#1) only for this device.

2. A linked NAT Rule (#1)

But I I get this result in the log viewer:

In the Wireshark trace you can see a TLS v1.2 Connection with a reply from the Gruebeck cloud, but this will not be forwarded to my device. Why?

Can anyone help me?

Thanks!



This thread was automatically locked due to age.
Parents
  • What you could try is to disable the Appication classification and ATP for the rule in Question.

    To do that, log in using the CLI go to option 4 and typ:

    set ips ac_atp exception fwrules X (the X is the firewall rule ID)

    support.sophos.com/.../KB-000038900

    And then try again. 

    //Rickard

  • Thank you for your tipp but i does not work on my case :(
    Same as before....

  • Back to very basic firewall rue.

    Create a firewall at the top of your rule list

    Source LAN, network your device, destination wan, network any, service any and log.

    Then try connecting to the the cloud server and review the logviewer based on your firewall id.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Here my rule:

    I've set this:
    set ips ac_atp exception fwrules 1

    And deleted all linked NAT rules.....

    And this is the result Disappointed

    Firewall
    2020-11-05 17:37:43
    Firewall Rule
    Allowed
    1
    2
    PortB
    PortA_ppp
    192.168.1.20
    13.95.15.251
    54460
    8883
    TCP
    1
    00001
    Open PCAP
    Firewall
    2020-11-05 17:37:23
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:23
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:22
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:22
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:21
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:21
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:21
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:21
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:21
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:20
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:20
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:20
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:20
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:20
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:20
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:20
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:19
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:19
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:14
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:14
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:12
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:12
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:10
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:10
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:10
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:10
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:10
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:09
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:09
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:37:09
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    54460
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:37:03
    Firewall Rule
    Allowed
    1
    2
    PortB
    PortA_ppp
    192.168.1.20
    13.95.15.251
    61093
    8883
    TCP
    1
    00001
    Open PCAP
    Firewall
    2020-11-05 17:36:42
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:42
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:41
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:41
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:40
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:40
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:39
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:39
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:39
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:39
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:38
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:38
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:38
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:38
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:38
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:38
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:37
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:37
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:32
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:32
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:30
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:30
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:29
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:29
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:28
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:28
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:28
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:28
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
    Firewall
    2020-11-05 17:36:28
    Invalid Traffic
    Denied
    N/A
    0
    PortA_ppp
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    0
    01001
    Open PCAP
    Invalid packet.
    Firewall
    2020-11-05 17:36:27
    Invalid Traffic
    Denied
    1
    2
    13.95.15.251
    87.156.245.30
    8883
    61093
    TCP
    1
    01001
    Open PCAP
    Invalid TCP state.
  • Hello there,

    Can you try doing a tcpdump from the CLI of the XG (Advanced Shell) for Port 8883

    # tcpdump -eni any port 8883

    What is the MTU in your WAN port, it might be breaking this connection.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi,

    I've tested with

    MTU  1500 and 1492

    MSS 1452/1440/1436

    All the same....

    But my Wireshark shows followed:

    1. A tcpdump of the problem device:

    2. A tcpdump of a https://13.95.15.251:8883 from the Webbrowser on my PC

    The Client Hello will be send to my PC. Why? Why not to my Gruenbeck Device
    The firewall rule for my PC is configured using the DPI engine. But is is not possible for my Gruenbeck device. I can not install the Sophos certificate.

  • Hello Mephilius,

    Thank you for the follow-up.

    Not sure why your computer would be answering to the Helo, unless you have some routing issue, but I don't think you have two WAN address.

    It seems like the 13.95.15.251 is asking for a certificate, in the Firewall for Web Filter for this computer, you are not using the Web Browser and/or DPI correct? Also try to bypass the IP from the SSL/TLS inspection rules.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • That was the key clue. Thanks for the tip!!!

    So now I've found the cause. Unfortunately, I have no idea how to fix it. The reason is the SSL / TLS engine. If I deactivate it in the SSL / TLS settings, my connection is established

    Unfortunately only the complete shutdown of the SSL / TLs engine helps. I've already tried just to switch off the inspection:

    I have also tried different rules with my device and / or the service in question. It doesn't help.

    Anyone else have an idea how I can turn off the SSL / Engine for this device?

Reply Children
No Data