Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

[9.105-9] POP3S and Hotmail :UIDL issue

August 21, 2013, 9:27 am
$
0
0
Hi All

It seems that I am not able to use hotmail with pop3s settings as prefetch complains as per below:

Code:
2013:08:21-17:23:49 ******** pop3proxy[11763]: Prefetch for account 9: Successfully logged in on POP3 server 65.55.32.247
2013:08:21-17:23:49 ******** pop3proxy[11763]: Server doesn't support UIDL: -ERR Exceeded the login limit for a 15 minute period. Reduce the frequency of requests to the POP3 server.
2013:08:21-17:23:49 ******** pop3proxy[11763]: Prefetch: UIDL isn't working properly, prefetching doesn't work without it. Exiting prefetch run.
2013:08:21-17:23:49 ******** pop3proxy[11763]: Failed to shutdown SSL connection
2013:08:21-17:24:44 ******** pop3proxy[10114]: SslClient timeout
The prefetch interval is set to 300 seconds and I have 3 server configured (all POP3S). Might be related to issue http://www.astaro.org/gateway-produc...ver-error.html as I ma still getting errors like:

CEnginesContainer::LoadCache() - [00001000Q0066K138E1S] Can't access file /tmp/ctasd.cache - fopen failed (2)
Unable to connect to Data Center [SingleLicense] - Can't resolve host iprep1.t.ctmail.com

Thanks
Search

ssl vpn client not getting IP

August 21, 2013, 10:52 am
$
0
0
Hi:

I have a ASG220 box and a remote server with a public IP static address. It has the Astaro SSL VPN client installed, but when sign in, light goes green afr=ter a while, but no DHCP address is taken by the Astaro VPN adapter (no 10.242.2.X, but it gets 169.254.***.YYY)
This is the only PC/server having this problem. Other PCs have dynamic IP (DHCP supplied) and Astaro SSL VPN client works perfect. I forced an static IP in one of the working PCs and VPN stll works well.
What should I check in that server? I include pics and logs
Thanks & Regards
Attachment 10556

Attachment 10557

Attachment 10558

Attachment 10559

Attached Images
File Type: jpg astaro-client.JPG (32.9 KB)
File Type: jpg astaro-box.jpg (93.2 KB)
File Type: jpg astaro-client-routes.jpg (82.5 KB)
Attached Files
File Type: txt astaro-client.txt (15.8 KB)

Live Log requires re-login

August 21, 2013, 12:27 pm
$
0
0
The Log Live works fine if I access it right after I login to Sophos but soon after, I have to re-login to Sophos in order for it to populate with data if I switch from Firewall to IPS or vice versa. It's as if there is a hard coded session timeout for the Live Log that ignores the Managemant->WebAdmin Settings->Advanced->WebAdmin idle timeout setting.

I get a blank window if I switch from Firewall to IPS or vice versa. I have to re-login and click Reload or close and reopen the Live Log in order for the Live Log to populate with data. However, it continues to populate and scroll if I leave it open for any amount of time. This issue only occurs when switching logs.

I should have reported this when it first started happening. Now I not sure when it started. I do know it started at least two updates ago. I'm now on version 9.105-9 so I'm thinking maybe it started with version 9.103-5. Maybe earlier.

UPDATE: After more testing, I've found the issue has nothing to do with a timeout. The issue can be reproduced by simply opening the Live Log, then close the Live Log window, then re-open the Live Log regardless of which log. And of course it seems to be affecting Internet Explorer, only.

To reproduce:
- Using Internet Explorer (I'm using IE9), login to Sophos.
- On the Dashboard, click on the Firewall link under Current system configuration.
- Click on the Open live log button. Wait for the Live Log window to open and populate with data and then close it.
- Wait about 10 seconds. Click on the Open live log button again. When the Live Log window opens this time, it's blank and never populates with data and the Reload button does not work. From this point on, the Live Log no longer populates with data until you re-login to Sophos.

[4.103-8]pushed to SUM

August 21, 2013, 2:41 pm
$
0
0
4.103-8 with lots of updates has been pushed to my SUM.
I have installed it, but not been able to review all the fixes.

Ian:)

[9.105-9] Quarantine reports are not sent out

August 21, 2013, 3:15 pm
$
0
0
After upgrading to version 9.105-9 the quarantine reports are not sent out anymore.

I tried to disable/enable the reports and changed the time, with no luck

I am getting notification for other events and prefetch works fine (I can confirm I have emails quarantined)

Thanks

SSH-Verbindungen über IPsec-Tunnel nach außen leiten

August 21, 2013, 3:36 pm
$
0
0
Hallo zusammen,

ich habe 2 Astaros, beide mit Version 8.310.

Astaro1 befindet sich hinter einer Fritzbox an einem DSL-Anschluss mit dynamischer IP.
Astaro2 befindet sich an einem anderen Standort mit externer statischer IP.

Astaro1, internes Interface: 192.168.1.254
Astaro1, externes Interface: 192.168.2.254

Astaro2, internes Interface: 10.10.9.254
Astaro2, externes Interface: 62.xx.xx.254

Die Astaro1 ist mit der Astaro2 per IPsec Site-to-Site-VPN verbunden.

Nun möchte ich alle ausgehenden SSH-Verbindungen aus dem Netz 192.168.1.0/24 über den IPsec-Tunnel zur Astaro2 senden, sodass der Traffic beim "Zielserver" mit der statischen IP, und nicht mit der dynamischen DSL-IP ankommt.

Dazu habe ich in der Astaro1 eine SNAT Regel konfiguriert:

Datenverkehrsquelle: Internal (Network)
Datenverkehrsdienst: SSH
Datenverkehrsziel: Any
NAT-Modus: SNAT (Quelle)
Quelle: 10.10.9.254
Automatische Firewallregel: JA

In der Astaro2 habe ich eine Maskierungs-NAT-Regel:

Netzwerk: Internal (Network)
Schnittstelle: WAN
Benutze Adresse: << Erste Adresse >>

Jedoch bekomme ich überhaupt keine SSH-Verbindung mehr nach außen, sobald ich die SNAT-Regel auf der Astaro1 aktiviere.

Kann mir jemand weiterhelfen, was ich hier falsch mache?

Vielen Dank im Voraus.

Viele Grüße
Andreas S.

WebProxy Unusable Slow

August 21, 2013, 4:41 pm
$
0
0
Since a few days I'm experiencing this problem. When turning the WebProxy off, it feels like I got the internet back. It was like running a 56K modem and having connection timeouts all the time. Now, pages open faster than an eyebeam.

In the log, this message is repeated very times, google.nl isn't the only site.

Code:
2013:08:22-01:28:39 UTM httpproxy[5462]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x10462978" function="connect_server_timeout" file="dns.c" line="748" message="Connection to google.nl using IPv6 timed out, re-trying to connect using IPv4"
I did several tests related to DNS, and I didn't find any problem with the WebProxy off. Does WebProxy use the values entered in Network Services -> DNS? If so, that would be strange, since they most likely aren't causing the problem. Remember, I'm typing this using those, WP off, and aren't expierencing any problems at all.

Note my ISP has native IPv6.

Any ideas?

PS: Any news on UTM 9.2?

Bug? Application reporting.

August 21, 2013, 8:41 pm
$
0
0
On one of our UTM devices I see this:

(Under web protection summary).

Attachment 10560

Whilst under reporting - Application control, top apps I see this:

Attachment 10561

Why does Spotify not appear? Indeed, no matter what I change in the reporting I cannot seem to find Spotify.

I suspect Spotify is being mis-categorized somewhere? (ie its not actually Spotify?)

Attached Images
File Type: png webprotection.png (5.6 KB)
File Type: png appreport.png (16.7 KB)
Search

Web Filtering not working after 9.105-9 install

August 22, 2013, 3:28 am
$
0
0
After installing 9.105-9, Transparent Web Proxy no longer works. Users get a Host Not Found message. (This is not a DNS, firewall problem... DNS is working great.) Turning off Web Filtering and the pages load VERY quickly.

Notice the Host Not Found message.

Help?

Thanks,

Bob.


Entry from the Web Filter Log:
2013:08:22-05:17:25 gateway httpproxy[6208]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.2.100" dstip="" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2480" request="0xcb40480" url="http://furryfriendpetportraits.weebly.com/" exceptions="" error="Host not found" category="140,178" reputation="neutral" categoryname="Personal Pages,Internet Services"

some websites do not load properly

August 22, 2013, 5:38 am
$
0
0
Hi,

I've got a problem, that some pages don't load properly, it doesn't matter which OS I use or which browser.

There are two Sites I know about it never works: Das führende Portal für Digital-TV, Entertainment und Heimkino - DIGITAL FERNSEHEN and Sportnachrichten - kicker online.

nslookup and traceroute seems to show no problems.

Code:
nslookup kicker.de
Server:                127.0.1.1
Address:        127.0.1.1#53

Non-authoritative answer:
Name:        kicker.de
Address: 86.109.254.101
Name:        kicker.de
Address: 86.109.254.100
Code:
traceroute kicker.de
traceroute to kicker.de (86.109.254.101), 30 hops max, 60 byte packets
 1  192.168.10.254 (192.168.10.254)  0.967 ms  0.945 ms  0.933 ms
 2  87.186.224.6 (87.186.224.6)  15.056 ms  17.678 ms  17.668 ms
 3  87.186.254.138 (87.186.254.138)  17.651 ms  17.634 ms  17.617 ms
 4  217.239.39.2 (217.239.39.2)  17.601 ms  19.015 ms  20.120 ms
 5  217.243.216.74 (217.243.216.74)  21.136 ms  22.003 ms  23.481 ms
 6  ae6.irt1.fra44.de.as13237.net (217.71.96.70)  23.675 ms  11.095 ms  11.723 ms
 7  ae2.irt2.nue22.de.as13237.net (217.71.96.74)  16.317 ms  18.911 ms  21.255 ms
 8  ODN-NUE.de.lambdanet.net (217.71.108.110)  21.256 ms  21.240 ms  21.227 ms
 9  kicker.catalyst32-g0-28.odn.net (86.109.255.242)  24.302 ms  24.883 ms  30.121 ms
When I use Opera Turbo those Sites do load.

I don't know how to help my self.

We use UTM 9 9.104-17

AP30 bleibt inaktiv

August 22, 2013, 5:40 am
$
0
0
Hello *,

habe hier einen AP30 der zwar erkannt wird, aber nur "INAKTIV" bleibt.

Das Log meldet mier hierzu:
device sends DEV2ASG_INITIALCONTACT twice, dropping.

Das Problem erscheint dann minütlich im Logfile.
Kann man den AP30 irgendwie resetten? Habe auch schon ein Flash-Update mit dem Flash-Utility ausprobiert, hat aber auch nichts gebracht.

Vielleicht ist der AP auch einfach nur defekt. Wollte es aber mal hier abklären ob es da noch irgendwelche anderen Möglichkeiten gibt?

Gruß
msp

FW: 9.104-17

Zugriff auf Verzeichnis bei FTP scheitert

August 22, 2013, 5:41 am
$
0
0
Hallo zusammen,

wir haben aktuell das Problem, das wir nicht auf den FTP-Server eines Kunden zugreifen können, bzw. nicht auf das Verzeichnis.
Die FTP-Clients (Cyberport, Filezilla (beides Mac)) loggen sich korrekt ein, können dann aber das Verzeichnis auf dem FTP-Server nicht laden.
Ich habe in der Sophos (Version 9.104-17) schon die vom Hoster angegeben Portrange im WebFiltering freigegeben, der Server hat schon eine eigene Firewallregel mit "unser netz - any - ftp-server" und steht auch schon in den Exceptions im WebFiltering.

Nun bin ich ratlos. Was kann ich noch tun, damit ich das Verzeichnis am FTP-Server geladen bekomme?

Danke schon mal.

Gruß
Alex

Certain S2S traffic through fix interface

August 22, 2013, 9:38 am
$
0
0
Hello
we got some WAN-boosters in some branch offices. The booster at our headquarters is limited in its "optimized throughput"

Therefore I'd like to make sure that only traffic coming from a network that is optimized is passed to the booster.
I'd like to do that by sending the traffic from the S2S tunnels that have a booster through one of the local interfaces, where I would then connect the booster mainunit.

All other traffic (from other VPN, the Internet etc.) should leave over another LAN interface.

How do I do that? via a policy route?

The booster is an inline-device. It will be attached between the interface and the L3-LAN switch

See attached schematic

Best regards

Attached Images
File Type: png WAN booster.png (39.7 KB)

Migration from Standard to Transparent Proxy

August 22, 2013, 9:50 am
$
0
0
Hello
we want to migrate from standard to transparent proxy.

The standard proxy is set via Group-policies, PAC or manually, so we need a transfer strategy, since it is impossible to ensure that all client try to access the web w/o a proxy set.

So at best I'd like to keep the current config and add a transparent mode for clients where the proxy-config is already removed. This way I could do a soft migration

Is this possible? How?

New user.. lots of routing questions

August 22, 2013, 10:03 am
$
0
0
Hello Everyone!

Hopefully I'm posting this in the correct subforum!

First time user of UTM 9.1. Just installed the home edition on my new purpose built firewall PC. Initially installed Untagle, but was not happy with the limited offerings of the 'Lite' package. As this is strictly for a small home network, I could not justify the yearly fee's.
When I first heard of Astaro / Sophos, I was a little intimidated as I have never setup / used a dedicated firewall before. Previously, it has always been whatever came in my consumer grade Linksys or TP-Link router.

The hardware I am running is as follows:

Gigabyte GA-C847N-D Motherboard
- 1.1GHz dual core Celeron
- dual on-board Realtek gigabit NIC
4GB DDR3 1333
250GB 2.5" laptop HD
TP Link 10/100 PCI NIC

My ISP is a dynamic cable connection, only one IP allowed. I use the term dynamic loosely as it has yet to change in the 3+ yrs I've had the service :)

Installation went smoothly with no problems. The initial setup was straight forward also. I had no internet connectivity issues once the UTM installation was finished. Unfortunately that was the end of the 'smooth sailings'.

I'm going to try an explain what I am trying to do... and the issues I have encountered as clearly as possible.

eth0 - EXT
eth1 - INT
eth2 - DMZ

I have a TP Link 24 port managed gigabit switch that currently has three VLANs enabled. Two ports for EXT, two for DMZ and the rest connected to INT.

I did spend about 4hrs going through various forum posts last night, but I figured after those 4hrs, it was time to ask for some assistance!

All devices connected to INT are able to route to the internet without any problems.
Only one device on the DMZ, and it is unable to route to the internet.
INT and DMZ do not need to speak to each other, as the DMZ device is simply a MagicJack / VOIP adapter.
I realize that a dedicated DMZ is not needed for the MJ, but since it is only a backup, I figured there is no harm in trying things out.

QUESTION: How do I setup the DMZ interface so that the connected device has unfettered access to the internet?

I am also having some internal routing issues. All my devices are Linux / BSD, and the only Windows machines are VM's that occasionally run.

Most of my connected devices obtain an IP automatically, as it does not matter what their IP is (smart phones, laptops, etc)

The TP Link switch and two TP Link wireless access points have statically assigned IP's that are set within their GUI's.

Two of my machines are servers and have statically assigned IP's. These IP's were assigned within the software settings of the OS.
These machines, as well as the TP Link devices, do not show up on the DHCP lease table (makes sense as they are not obtaining their IP from the DHCP server).

I've noticed however, that the routers DHCP service had provided one of the statically assigned IP's, thus making the server unavailable.
example: server has an internally assigned IP of 192.168.1.122, but the DHCP server assigned the same IP to one of my smart phones.

QUESTION: Is there a way to 'reserve' an IP range so that static IP's have the first 25 addresses (192.168.1.100 - 192.168.1.125) and the dynamically assigned ones would be .126 - .150?
QUESTION: If the above is not a suitable solution, would it be better to assign the static IP's within the routers DHCP service instead of within the OS?

I've also had an issue where I've selected a device on the network (XBMCbuntu) that has been given a dynamic IP by the DHCP service of 192.168.1.110, but I want it to be is 192.168.1.111. I clicked the 'make static' button and sete it to the IP I want it to be.
The device then shows up under both the static and dynamic. Same MAC under both, but two different IP's One static, one dynamic.

QUESTION: Is this going to possibly cause a conflict? Is there a way to release a dynamic assigned IP?

I also noticed last night that I was unable to route to certain devices on the network from one machine, but could do so from another. Example: My SUSE laptop (dynamic 192.168.1.109) could route to 'XBMC' (dhcp static .1.111) and 'server' (os static .1.148), but could not route to FreeNAS (os static .1.122).
If I used the laptop to SSH into either the XBMC or server boxes, I could hit the FreeNAS box from them by both SSH and by the fact the NFS shares were mounted correctly.
Rebooting the modem, then switch, then router, then each connected device one at a time, did not resolve the routing issue. I even added static routes within the router (192.168.1.122 -> internal), with no change.

QUESTION: What's going on with the routing issue? Is it related to the IP assignments I noted above?

Any and all help is greatly appreciated!
Search

WAN interface: Link state is Error

August 22, 2013, 10:08 am
$
0
0
Hello everyone
I recently deployed a new ASG120 to a branch and it says Error at Link state on the dash board.

Everything was fine at the headquarters where I set it up.

Static IPs where used on both sites.

Any ideas what might be the reason? Or where to search for it?

Best regards

PS: provider says everything is ok on their side ;) of course :D

secure email gateway

August 22, 2013, 10:14 am
$
0
0
Can I connect your secure email gateway with my business email which is connected to Google business email app?

DMZ on ASG-interface

August 22, 2013, 10:29 am
$
0
0
Hello everyone
I want to set up a DMZ on a physical interface of my UTM.

Therefore I configured a /24 IP range on that interface. The port is connected to a top-of-rack switch where the port has a port-based VLAN.

This VLAN is tagged to the trunk-interfaces so it can be deployed on ports elsewhere (e.g. in the second datacenter).
See attached graphic.

I just want to check some basics:

First of all I was able to ping the UTM-DMZ address from a client network, even though no firewall rule was defined yet to allow traffic from LAN to DMZ.
Why?

Second:
I wouldn't need a gateway or static route right? All DMZ-servers would have an address in the DMZ-interface-network and everything would work w/o any internal routing right? (So traffic for 10.1.0.x would always leave via the DMZ-interface)

All very basic stuff but today I wasn't able to ping the ASG interface from a client on the VLAN 2 on the core switch (but maybe a core-switch issue I guess :()

Best regards

Attached Images
File Type: png DMZ.png (31.1 KB)

Monitoring UTM via nagios: RED status and NIC-load

August 22, 2013, 10:33 am
$
0
0
Hello everyone,
is it possible to check the status of the REDs remotely (e.g. via SNMP)?

I'd also like to check the load on my interfaces, CPU-load etc.

Is this possible?

Best regards

4.0 to 4.1 update

August 22, 2013, 10:53 am
$
0
0
The blog post said that an Up2Date package for 4.0 to 4.1 will be released later.
This was two month ago, will it happen?
Viewing all 14361 articles
Browse latest View live
Search