Scribd
Upload
18 views7 pages

Situation: Problematic Behavior From The Customer's Perspective

Uploaded by

jagdishrj92
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
18 views7 pages

Situation: Problematic Behavior From The Customer's Perspective

Uploaded by

jagdishrj92
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Situation:

 Problematic behavior from the customer's perspective.


 <Original input sent by customer>

2019 Windows server unable to establish internet connection

 Background of the issue.


 <Since long is customer facing the issue>

Assessment:

 Technical Severity:P2

 Relevant information about the customer's environment


 <Details about network diagram / OS details>
 <Firmware version / Software version>
 XGS136 (SFOS 21.0.0 GA-Build169) X131099JQJRMKAB
 Name of Customer: Joshua Morales
 Contact number: +1 737-328-2696
 Access id: [email protected]

Trouble shooting:

 Connected on remote session


 Machine 192.168.7.111 is not able to access one service on port 445
 Joshua is trying to access interaeaststorageaccount.file.core.windows.net -Port 445
 To check further we need access of firewall or Sophos central
 Once we get an access of the firewall, we will check the packet capture
 We logged into firewall
 User is belongs to LAN

Log viewer logs:


Based on logs above

 Firewall rule in use is 1 and NAT rule 1


 Traffic flow- LAN to internet
 In port 1 and out port is 2
 Src port – 64461 and dst port is 445 tcp

Firewall rule in use:

NAT rule in use :1


With permission created on test rule on top

PS C:\Users\jm.admin> Test-NetConnection -ComputerName


interaeaststorageaccount.file.core.windows.net -Port 445

Below is pcap when testes ( date: Jan 10 and time is 3:22pm PST)
We have only one ISP

Tcpdump:

8:30:13.928958 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:13.928960 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:13.929210 Port1, IN: In b4:96:91:a5:99:90 ethertype IPv4 (0x0800), length 96:
192.168.7.111.14907 > 24.84.237.55.32995: UDP, length 52
18:30:13.996933 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 96:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 52
18:30:13.996939 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 96:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 52
18:30:13.996944 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 96:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 52
18:30:13.996945 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 96:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 52
18:30:13.996949 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 96:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 52
18:30:13.996949 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 96:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 52
18:30:13.996952 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 96:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 52
18:30:13.996953 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 96:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 52
18:30:13.996975 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.002845 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.002848 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.002860 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.002861 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.002897 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.002900 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.002936 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.002939 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.003079 Port1, IN: In b4:96:91:a5:99:90 ethertype IPv4 (0x0800), length 96:
192.168.7.111.14907 > 24.84.237.55.32995: UDP, length 52
18:30:14.003148 Port1, IN: In b4:96:91:a5:99:90 ethertype IPv4 (0x0800), length 96:
192.168.7.111.14907 > 24.84.237.55.32995: UDP, length 52
18:30:14.003765 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.003767 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.003903 Port1, IN: In b4:96:91:a5:99:90 ethertype IPv4 (0x0800), length 96:
192.168.7.111.14907 > 24.84.237.55.32995: UDP, length 52
18:30:14.004580 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.004582 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.005606 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.005609 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.005626 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.005627 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.005772 Port1, IN: In b4:96:91:a5:99:90 ethertype IPv4 (0x0800), length 96:
192.168.7.111.14907 > 24.84.237.55.32995: UDP, length 52
18:30:14.006325 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.006327 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.006488 Port1, IN: In b4:96:91:a5:99:90 ethertype IPv4 (0x0800), length 96:
192.168.7.111.14907 > 24.84.237.55.32995: UDP, length 52
18:30:14.008048 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.008051 mv-pcimux0, OUT: Out 00:01:00:00:50:46 ethertype IPv4 (0x0800), length 149:
24.84.237.55.32995 > 192.168.7.111.14907: UDP, length 105
18:30:14.008054 Port1, OUT: Out 7c:5a:1c:b4:6f:b0 ethertype IPv4

Conntrack:

XGS136_XN01_SFOS 21.0.0 GA-Build169# conntrack -E -s 192.168.7.111 -d 20.60.61.136


[NEW] proto=tcp proto-no=6 timeout=120 state=SYN_SENT orig-src=192.168.7.111 orig-
dst=20.60.61.136 orig-sport=56367 orig-dport=445 [UNREPLIED] reply-src=20.60.61.136 reply-
dst=50.208.69.9 reply-sport=445 reply-dport=56367 mark=0x8001 id=1120375907 masterid=0
devin=Port1 devout=Port2 nseid=16783326 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0
policytype=1 fwid=10 natid=10 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0
hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=1 outzone=2 devinindex=13
devoutindex=14 hb_src=0 hb_dst=0 flags0=0x800a0000200008 flags1=0x50000800000
flagvalues=3,21,41,43,55,87,104,106 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0
hotspotid=0 dst_mac=7c:5a:1c:b4:6f:b0 src_mac=b4:96:91:a5:99:90 startstamp=1736551886
microflowid[0]=1067615 microflowrev[0]=2 microflow[1]=INVALID hostrev[0]=1 hostrev[1]=0
ipspid=0 diffserv=0 loindex=14 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 cluster_node=0
current_state[0]=6911 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=0 sessionid=3566
sessionidrev=2265 session_update_rev=2 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=0
pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0
nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0
conn_fp_id=NOT_OFFLOADED
[DESTROY] proto=tcp proto-no=6 orig-src=192.168.7.111 orig-dst=20.60.61.136 orig-
sport=56156 orig-dport=445 packets=3 bytes=156 [UNREPLIED] reply-src=20.60.61.136 reply-
dst=50.208.69.9 reply-sport=445 reply-dport=56156 packets=0 bytes=0 mark=0x8001
id=3878893198 masterid=0 devin=Port1 devout=Port2 nseid=50337741 ips=0 sslvpnid=0
webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=10 natid=10 fw_action=1 bwid=0 appid=0
appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=1 outzone=2
devinindex=13 devoutindex=14 hb_src=0 hb_dst=0 flags0=0x800a0000200008
flags1=0x50004800000 flagvalues=3,21,41,43,55,87,90,104,106 catid=0 user=0 luserid=0
usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=7c:5a:1c:b4:6f:b0 src_mac=b4:96:91:a5:99:90
startstamp=1736551758 microflowid[0]=1066993 microflowrev[0]=2 microflow[1]=INVALID
hostrev[0]=1 hostrev[1]=0 ipspid=0 diffserv=0 loindex=14 tlsruleid=0 ips_nfqueue=2
sess_verdict=0 cluster_node=0 current_state[0]=6911 current_state[1]=0 vlan_id=0
inmark=0x0 brinindex=0 sessionid=7033 sessionidrev=41322 session_update_rev=5
dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0
nhop_id[0]=4 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0
saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLOADED

We tested for 1.1.1.1

No drp on port 445


No drops on src ip
Customer have one machine on which it is working and they don’t have end point
installed

Plan:
 Is the issue resolved- No
 Plan of Action (POA) for next interaction
 As discussed with Joshua without Sophos end point agent we are able to access the
application
 The application is not working on server on which he is using the end point agent
 Customer wants to check on end point side
 Transferring the call to Geoffrey Leach as discussed on teams

You might also like