Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

Multiple VPN connections to different Amazon VPC

April 28, 2015, 4:38 am
$
0
0
Hi,

I would like connect my Sophos UTM to two different Amazon VPCs which have been created with different accounts. The first VPC uses an IP adress in the 192.168.x.x range. Setting up a connection to this worked perfectly using dynamic routing. However, if I setup the second connection to another VPC which is using an adress in the 10.x.x.x range the IPSec tunnel is established but no routes are exchanged. To be more specific, in the Amazon routing table I can see the propagated routes to my network but nothing on the Sophos UTM. It seems like our appliance doesn't accept/receive the routing information from Amazon. The VPN connection to the second VPC has been created in the exact same way as the first one which works perfectly fine. This seems strange to me as I don't really have much options to configure on both sides.
In the status overview the Sophos UTM shows me just the message "BGP connected" while on Amazon theres IPSec showed as up and the tunnel as down.
I also tried to delete everything on Amazon and set it up again without success. I also tried to use a different ASN number for BGP (65001) without luck.

My other attempt was to set up a normal IPSec site-to-site connection with static routing. While the connection itself worked and a tunnel was established we experienced massive packet loss. Means we were able to ping for e.g 10 seconds got a break for 30 seconds and then ping worked again for 10 seconds. To me it looks like there's sth wrong with the routing. However, I double checked to make sure there are no overlapping subnets.

Was anyone able to set up 2 or more connections to different VPCs?? If so any hints?

Any help is highly appreciated. Thanks.
Search

Problem: Quarantine report in OWA

April 28, 2015, 5:31 am
$
0
0
The quarantine report viewed in the exchange web client (owa) seem to be broken. The banner background image is being vertically stretched to 10000pix+

The problem seems to be caused by the following css style in premium.css:
Code:
.bdyItmPrt IMG {
  max-width: 100%;
  height: auto;
}
Changing it to the following seems to fix it, though I have no idea if it breaks other reports/pages:
Code:
.bdyItmPrt IMG {
  max-width: 100%;
  /* height: auto; */
}
Following closed topic seems to describe the same problem:
- https://www.astaro.org/closed-forums...k-web-app.html

Azure Site to Site Trouble

April 28, 2015, 7:28 am
$
0
0
Using a Sophos UTM 9, current firmware up to this morning. I've set up the VPN largely like i've seen here on the boards and also messed with the key times to make sure that wasn't an issue. The modem provided by AT&T is passing everything through, no filtering.

I'm somewhat at a loss here. Tried redoing the entire configuration on the VPN portion, no luck.

IP addresses on the Azure side are 10.0.0.0 and whatever gateway they require be setup. Gateway is setup. Static configuration. PSK.

Local side is 192.168.1.X.

Attached are screenshots of configuration and the messages I see.

Am I missing something here, and thanks in advance!

2015:04:28-16:23:16 stl pluto[6578]: "S_Azure" #22: ignoring Vendor ID payload [FRAGMENTATION]

2015:04:28-16:23:16 stl pluto[6578]: "S_Azure" #22: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]

2015:04:28-16:23:16 stl pluto[6578]: "S_Azure" #22: ignoring Vendor ID payload [IKE CGA version 1]

2015:04:28-16:23:16 stl pluto[6578]: "S_Azure" #22: enabling possible NAT-traversal with method 3

2015:04:28-16:23:16 stl pluto[6578]: "S_Azure" #22: NAT-Traversal: Result using RFC 3947: no NAT detected

2015:04:28-16:23:16 stl pluto[6578]: "S_Azure" #22: Peer ID is ID_IPV4_ADDR: '23.100.78.213'

2015:04:28-16:23:16 stl pluto[6578]: "S_Azure" #22: ISAKMP SA established

2015:04:28-16:23:16 stl pluto[6578]: "S_Azure" #23: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#22}

2015:04:28-16:23:16 stl pluto[6578]: "S_Azure" #22: ignoring informational payload, type INVALID_ID_INFORMATION

2015:04:28-16:23:26 stl pluto[6578]: "S_Azure" #22: ignoring informational payload, type INVALID_ID_INFORMATION

2015:04:28-16:23:46 stl pluto[6578]: "S_Azure" #22: ignoring informational payload, type INVALID_ID_INFORMATION

2015:04:28-16:23:57 stl pluto[6578]: "S_Azure" #22: cannot respond to IPsec SA request because no connection is known for 192.168.1.0/29===108.82.152.89[108.82.152.89]...23.100.78.213[23.100.78.213]===10.0.0.0/20

2015:04:28-16:23:57 stl pluto[6578]: "S_Azure" #22: sending encrypted notification INVALID_ID_INFORMATION to 23.100.78.213:500

2015:04:28-16:23:58 stl pluto[6578]: "S_Azure" #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)

2015:04:28-16:23:58 stl pluto[6578]: "S_Azure" #22: sending encrypted notification INVALID_MESSAGE_ID to 23.100.78.213:500

2015:04:28-16:23:59 stl pluto[6578]: "S_Azure" #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)

2015:04:28-16:23:59 stl pluto[6578]: "S_Azure" #22: sending encrypted notification INVALID_MESSAGE_ID to 23.100.78.213:500

2015:04:28-16:24:02 stl pluto[6578]: "S_Azure" #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)

2015:04:28-16:24:02 stl pluto[6578]: "S_Azure" #22: sending encrypted notification INVALID_MESSAGE_ID to 23.100.78.213:500

2015:04:28-16:24:09 stl pluto[6578]: "S_Azure" #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)

2015:04:28-16:24:09 stl pluto[6578]: "S_Azure" #22: sending encrypted notification INVALID_MESSAGE_ID to 23.100.78.213:500

2015:04:28-16:24:24 stl pluto[6578]: "S_Azure" #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)

2015:04:28-16:24:24 stl pluto[6578]: "S_Azure" #22: sending encrypted notification INVALID_MESSAGE_ID to 23.100.78.213:500

2015:04:28-16:24:26 stl pluto[6578]: "S_Azure" #23: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

2015:04:28-16:24:26 stl pluto[6578]: "S_Azure" #23: starting keying attempt 2 of an unlimited number

2015:04:28-16:24:26 stl pluto[6578]: "S_Azure" #24: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #23 {using isakmp#22}

2015:04:28-16:24:26 stl pluto[6578]: "S_Azure" #22: ignoring informational payload, type INVALID_ID_INFORMATION

2015:04:28-16:24:36 stl pluto[6578]: "S_Azure" #22: ignoring informational payload, type INVALID_ID_INFORMATION

2015:04:28-16:24:39 stl pluto[6578]: "S_Azure" #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)

2015:04:28-16:24:39 stl pluto[6578]: "S_Azure" #22: sending encrypted notification INVALID_MESSAGE_ID to 23.100.78.213:500

How to prioritize traffic with QoS?

April 28, 2015, 8:08 am
$
0
0
Hello,

some days ago I put many files in my Dropbox and OneDrive folders and because it was really much data, it took hours to sync and in that time it slowed down all other traffic like web surfing or gaming massively. So shorty after the upload began, everyone at home was asking "why is the internet so slow" and "my game doesn't work" :(

Before I came to Astaro/Sophos I used pfSense as firewall. With pfSense it was very easy to setup a bandwidth management and prioritize traffic in minutes with the built-in traffic-shaper. Now I am using Astaro/Sophos for some years and still haven't really understood the QoS mechanism. And I really tried several times. ;) At most I don't understand the reason why I have to setup the rules only at the "upload" direction of the interface. If I setup priorities, it shouldn't matter if they're on the upload or download side.

Like QoS implementation on other devices I understand that for example if I have two VoIP telephones with approx. 100kb/s traffic each I can reserve 200kb/s for VoIP services. That's easy. That's quality of service. But this isn't prioritizing traffic or traffic shaping. At least not how it was done with pfSense.

What I want to achieve is that Dropbox can use the whole bandwidth if there is no other traffic. But when there is traffic, dropbox traffic becomes limited and slowed down and all other traffic is prioritized before dropbox.

I think of prioritizing my bandwidth in the following order:

Prioritized OVER everything else:
1. SYN/ACK packets, so that uploads doesn't effect downloads (I think this is done via 'upload optimizer')
2. VoIP traffic
3. Websurfing (with WebFiltering Proxy)
4. VPN traffic
...

5-7 unspecified traffic

Prioritized UNDER everything else:
...
8. Dropbox and OneDrive traffic
9. BitTorrent Traffic

But first I want to start only with limiting Dropbox and OneDrive.
I activated QoS a few months ago for the External (WAN) interface and checked all checkboxes (Limit uplink, Download Equializer, Upload Optimizer). I've got a DSL 6000 line from the german Telekom with 6MBit downstream and 512KBit upstream. My Modem shows me a sync-speed of 6656 kBit/s downstream and 640 kBit/s downstream. Thats why I put "6" in the "Downlink mbit/sec"-field and "0.5" in the "Uplink-mbit/sec"-field.

Now I've created a traffic selector with Dropbox and Windows Live in it and added this selector to a Bandwidth Pool "Cloudstorage" with a bandwidth of 10 kbit/s. But this didn't help. Only when I specified an upper bandwith limit of 450 kbit/s it helped and other services became usable again.
But now Dropbox traffic will be limited to 450 kbit/s even if there is no other traffic.
I don't want to throttle anything. If the bandwidth is free everyone and every service should be able to use all of it.

Could someone help me with this problem?

Thanks in advance,

Dino

RDP geblockt

April 28, 2015, 9:11 am
$
0
0
Moin zusammen,

die ganze Zeit funktionierte RDP wunderbar. Wir haben heute dann das OWA freigegeben und seither können wir keine RDP Verbindungen mehr aufbauen, wenn wir im VPN Netz sind - das ging vorher problemlos.

Die Microsoft Remote Desktop Services sind wie folgt eingerichtet auf der Firewall:
ANY - WAN
und darunter befinden sich sämtliche Dienste--


Habt ihr eine Idee wo unser Denkfehler liegt bzw. wie wir die RDPs wieder in Gang bekommen?

Vielen Dank!

knuessel

How to Block Non-Approved Internal IP's from Accessing the Network

April 28, 2015, 9:18 am
$
0
0
I've set up a simple home network (no usernames, etc) where every approved device has a Static IP (Host) assigned to it and the device's hardware MAC address is assigned to its respective Static IP.

I'm using the UTM for DHCP and the range of Static IP's is placed outside of the range of the DHCP's assignable IP's.

What I'm trying to do is to set up a "DHCP Purgatory", such that only Approved devices can have access to the network and the internet (according to web filtering and firewall rules) and that any Guest IP's are blocked completely until I manually give them a Static IP that's tied to their MAC address. I still want these Guest devices to initially have a temp IP assigned to them, so that I can see who's trying to connect to the network.

I'm trying to prevent unauthorized people from accessing my Wi-Fi and also from creative teenagers creating their own MAC addresses to bypass blocking. I realize that there are workarounds for this by spoofing an "approved" MAC, but for now the real solution of usernames, etc, isn't feasible (grandparents that write their username's and passwords ON their PC, etc) :D.

Setting up an "Approved" Group of Static IP Hosts is simple enough and so is the manual Firewall rule(s). However, since I'm using Webfiltering, IPS, Country Blocking, etc, the proxies and automatic firewall rules are taking precedence over my manual rules. I suspect that I need some type of Blackhole NAT, but I'm stuck on the specifics on how to set this up.

Any suggestions on how to set this up, or a better way to accomplish what I'm trying to do would be greatly appreciated.

Thanks,

Ben

login fail after update 9.310

April 28, 2015, 9:50 am
$
0
0
Hye,

After update UTM 9.212 to 9.310, it's impossible to login in UTM.

login admin failed!!! and other login too !

VPN logion failed !

Reboot ? pass to astaro reserved (v9.212) ?

help please

2x UTM 220

IE10 Strange behavior https blocking

April 28, 2015, 10:40 am
$
0
0
Hello all...

we have a very strange behaviour in IE10 when surfing to https website blocked by the
category filter in the webproxy (URL filtering only option enabled for https).

The expected behavior would be that the block page is showed. This works in all other
browsers just fine - except in IE10.

Here we have the error message "der proxyserver reagiert nicht" / "The proxyserver is not responding". In some cases if the same user visits the blocked url again the blockpage is showed as expected!

I have changed all different settings in the UTM and also in IE without any change to this behavior. Sophos has also investigated the issue and their only commentz ist that this is an IE10 specific error and not their responsibility. We should upgrade to IE11 or use another browser.

But this error occurs at one of our customers sites where we do a prove of concept for 300+ users at the moment so this is not really an option.

Any thougts / ideas why this penomenon occures and possible solutions would be much appreciated...
Search

WebAdmin and user portal TLS v1.0

April 28, 2015, 10:57 am
$
0
0
I ran an external compliance scan on our network and received a notification that the the ports/services that handle the WebAdmin login and user portal for our UTM 220 accept TLS v1.0, which causes the scan to fail. Is there any way I can disable v1.0? I read a couple posts about manually updating the system for Heartbleed and TLS for SMTP, but I thought those methods might be outdated by now or not to applicable to this case.

The UTM 220 is at version 9.310-11.

thanks!

Using the UTM to route internal traffic

April 28, 2015, 11:17 am
$
0
0
I'm dealing with a simple network of two subnets. Site A is 192.168.1.0/24 and Site B is 192.168.2.0/24. The connection between the two networks is a metro Ethernet.

In Site A is a simple router with two interfaces: 192.168.1.253 and 192.168.2.253. The interface ..1.253 is connected into Site A's local network, and ..2.253 is plugged into the metro Ethernet.

Devices in Site A have a static route configured which says for network 192.168.2.0/24, use 192.168.1.253. There is the same rule, reversed, in Site B so all the devices there have a path back.

What I would like to do is utilize one of the unused interfaces in my UTM 120 in Site A to handle this routing, and eliminate the additional router. Because the UTM already has an interface in Site A's local network, 192.168.1.1, which is the default gateway in the Site A network, I'm thinking I need to assign 192.168.2.253 to an unused interface on the UTM, and plug the Metro E into it.

Questions: Is that the correct way to do it, and then after I have it plugged in, what do I have to do to configure it? Am I correct that since the Site A devices already have the UTM as their default gateway that they would no longer need the static route?

Thank you

How to setup Sophos

April 28, 2015, 12:08 pm
$
0
0
Hello,

Right now I have a Sophos UTM Home server running. Tomorrow I will be connected to a fiber network via a Vigor 2132Fvn modem. The ISP has disabled the bridge-modus. So, how do I setup the new modem?
I saw 'True IP DMZ' function on it. Is this useful to setup the UTM?

Best regards,R
Roy

How To Show All Connection in Firewall Live Logs

April 28, 2015, 2:56 pm
$
0
0
Hi,

Is there a way to show all connection in the firewall live logs, i know i can see connections that are blocked in the live logs

I like to see somthing like this:

192.168.0.5 to a isp ip {port} which protocoll tcp/udp port connected

somthing like that.

Hope someone have a idea

gr.

[UTM 9.308-16] SSL-Offloading: Redirect

April 28, 2015, 5:00 pm
$
0
0
Hello

I have installed the SSL-Offloading for the very first site. It is really a cool solution.

Everything works fine, except that the type "Encrypted (HTTPS & Redirect)" does not redirect ;-(

The site ist actually a subdomain:
I expected, that http://sub.mycoolsite.ch or www.sub.mycoolsite.ch will be automatically redirected to https://sub.mycoolsite.ch. Unfortunately, this does not work. I can access the site directly with https://www.sub.mycoolsite.ch and https://sub.mycoolsite.ch.

Did i understood something wrong?

I'm quite new with WAF. Therefore i didn't choose a firewall profile for now.
I ticked the options Rewrite HTML, Rewrite Cookies and Pass Host Header to on.

Many thanks!

Cheers

Martin

Multiple WAN ,Multipath rules ,weightage, multiple Site-to-Site VPN, need help !

April 28, 2015, 8:44 pm
$
0
0
Hello Guys,

This question may have been asked before and answered for which I apologise at the very start,though I would like to have clarity as per my setup.

Here is the case , we have recently turned to Sophos :

1) Head office : 2 x Sophos SG 450 in HA mode active-passive
2) 4 Branch offices : 4 x Sophos SG 125 with site-to site VPN for each branch office with Head office

Requirement 1 :

We have recently added a new WAN link to HO , so we have WAN 1 and WAN 2 in place. We have a single internal LAN network with no VLANS or DMZ.
Want both the WAN links in uplink balancing mode with multipath.
a) We have our set of servers in the same LAN network... traffic of which I want through WAN 1.
b) Traffic for rest of our users on the LAN should route through WAN 1
c) Failover : If WAN A goes down WAN B will route all the traffic and vice versa.

Requirement 2 :

All the 4 site-to-site VPN tunnels should be up , iresspective of the failover at HO.

I have read various posts regarding multipath , WAN link wieghtage , but I am confused a bit.
Clarity of configuration on the above setup would help me a great bit :)

unable to get local issuer certificate for a lot of sites after update to 9.310

April 29, 2015, 1:37 am
$
0
0
Hi,

I did the update to 9.310 last weekend and now I am facing a "unable to get local issuer certificate" error for a lot of https sites. This could be relatet to the update or not. I am not sure but those sites were working a few days ago.

Some examples for non working sites:
https://www.ing-diba.de/ - Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
https://www.amazon.de/ - Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
https://www.adobe.com/ - Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

Some other sites like eBay are working so maybe thsi is related to the Issuning CA. As far as I can see those are present on the UTM.

Can anybody confirm there is an issue or not.
I will open a support case, too.

Thanks.
Search

DynDNS Dienst nach Nutzung von 3G Verbindung außer Betrieb

April 29, 2015, 2:04 am
$
0
0
Hallo zusammen,

ich nutze seit knapp 2 Jahren eine Sophos UTM für private Zwecke.
Da ich leider nur eine private DSL Verbidnung habe, komme ich zum hosten meiner Cloud nicht um eine DynDNS Verbindung rum.

Das hat bis gestern auch sehr gut funktioniert, bis ich ein Huawei Stick E176 an das System angeschlossen habe.
Ich würde den Stick gerne als Failover Verbindung nutzen, was auch noch geklappt hat. Jedoch bekomme ich seit der Installation der neuen Schnittstelle keine Aktualisierung des DynDNS Accounts (Strato) mehr.

Bei Strato habe ich bereits nachgefragt. Dort sind keinerlei Probleme beim DynDNS Dienst bekannt. Die manuelle aktualisierung per URL klappt auch einwandfrei.

Mehrfaches rebooten der UTM sowie löschen der Failover 3G Schnittstelle bringen keine Änderungen.
Der Status der DynDNS Verbindungen steht bei "An Update is attempting in progress"

Kann mir jemand weiterhelfen?

Gruß Tobias

ddclient/dyndns failed

April 29, 2015, 2:16 am
$
0
0
Firmware version: 9.310-11

I've got FreeDNS und Strato running but Strato suddenly stopped working after last nights ISP reconnect with the following error:

2015:04:29-09:00:23 ***x ddclient[19216]: WARNING: file /var/cache/ddclient/ddclient.cache, line 3: Invalid Value for keyword 'ip' = ''
2015:04:29-09:00:25 ***x ddclient[19216]: WARNING: cannot send to dyndns.strato.com:443 (Bad file descriptor).
2015:04:29-09:00:25 ***x ddclient[19216]: FAILED: updating ***x.***: Could not connect to dyndns.strato.com.

FreeDNS is still working. Did reboot, clear cache, and recreated the Strato entry...

Any ideas? Thanks..

Downlaod usage limitation

April 29, 2015, 2:50 am
$
0
0
Hi, I have 2 questions in internet shaping,
first: I want to configure internet usage shaping for about 500 users with usernames.
is there a way to authenticate users without the need of users log in to user portal? "i mean the creation of user network after successfully log in to user portal."

second: I want to set a rule that each user have a limitation on downloading per day and mount. for example user A can use internet for downloading with 10m limitation each day and 200m each mount. is that possible?

Mails to *@icloud.com are delivered with an 3-day delay

April 29, 2015, 4:09 am
$
0
0
Hello,

we're using the SMTP Proxy to check in- and outgoing E-Mail traffic.
Now we have the following problem:
Mails send to recipients *@icloud.com stay up to three days in SMTP spool before delivery.

I checked the SMTP Log:
2015:04:24-16:32:00 spam exim-out[7708]: 2015-04-24 16:32:00 1YlI1C-0004ra-7x == ***@icloud.com routing defer (-51): retry time not reached

This entry is logged each minute over several days for each email.
We sent three testmails, so we got this line 3 times per minute.

Do you have any ideas why i takes so much time so send these mails?
Or where I could search for the reason for this delay?

MFG
Dome

PCI requirements and remote VPN users

April 29, 2015, 4:37 am
$
0
0
One of the requirements for getting PCI accreditation is:

"Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity" - PCI V3 requirement 12.3.8

In effect, PCI requires that remote VPN sessions must time out after a period of inactivity: fifteen minutes, we've been told. I know that this timeout can be set at the client end for some of the VPN clients (eg the IPSec VPN client), but is there a type of VPN client where the timeout can be set at the UTM end, in Webadmin? I can't see anything, but I may just have missed the blindingly obvious...

I don't think the auditors are going to be happy with a setting that can be changed by the users: if there's no solution to this issue (which is going to affect anyone who needs PCI accreditation) we'll have to look at using a different solution for our remote users.

Any help/advice that anyone can give will be much appreciated.
Viewing all 14361 articles
Browse latest View live
Search