1 2 Previous Next 15 Replies Latest reply on Jan 28, 2010 7:26 PM by karlg

    SG560 blocks port 80

      We have an SG 560 currently running 3.1.5u1 (SecureComputing/SG560 Version 3.1.5u1  --  Fri, 22 Jun 2007 19:00:30 +1000                        Linux version 2.4.31-uc0  (build@sgbuild) (gcc version 3.3.2) #1 Fri Jun 22 20:39:01 EST 2007).

       

      The SG560 is configured with ADSL line connected to port B, DMZ to A2 and workstation cloud to A3.

       

      The first rule is Accept from port B to DMZ from any to WEBHOST port 80 - however the packets are never routed to the host in the DMZ.  Other ports in the DMZ work - such as 3389 for RDP and so forth.

       

      Any ideas?

        • 1. Re: SG560 blocks port 80

          When you say rules I assume you mean the port forward type.

           

          If all other forwards work, and HTTP does not, and you setup the HTTP rule like the others, there is probably something else amiss.

          The UTM device has a useful diagnostic tool

           

          Sytem -> Diagnostics -> Packet Capture

           

          If you setup a capture on the LAN interface with a options field like

           

          -s 1500 host 1.2.3.4 and tcp port 80

           

          where 1.2.3.4 is the IP of the DMZ host you are forwarding HTTP connections too.

           

          If you then test, you should see packets...if you do, is the server replying ?

           

          If you don't then are the packets even coming in ?

           

          use the Internet interface this time with options

           

          -s 1500 tcp port 80

           

          You may want to disconnect internal PC's during this test, otherwise you will see all their HTTP traffic as well.

          If you do not get any incoming packets, then maybe your ISP is blocking them upstream, which is a common security(?) option

           

          If you need further assistance we have covered pretty well as much as we can without opening a support ticket and get the right diagnostics to tell what is occurring...and those diagnostics would be the captures mentioned above, as well asthe good old TSR

           

          http://community.mcafee.com/docs/DOC-1061

          • 2. Re: SG560 blocks port 80

            Okay - factory reset after the upgrade to 4.0.5 and the incoming port 80 works fine. now.

            • 3. Re: SG560 blocks port 80

              btw - when I set this packet capture up the unit became unresponsive and so I couldn't see the packet capture.

              • 4. Re: SG560 blocks port 80

                The 560 ( like all computer systems ) has limited writable tmp disk space, and if you use a filter that captures a lot of traffic, you can fill thisspace quickly and cause the unit nto have no free /tmp space, so no PIDs can be created, so it falls over. The packet capture does not have a safety check for this at the moment.

                 

                from the command prompt

                 

                #df /var
                Filesystem           1k-blocks      Used Available Use% Mounted on
                tmpfs                      512       164       348  32% /var

                 

                On the 560 it is 512K, and 1/3 of this is already full, and if you use 100% of /var  bad things happen ( /tmp is a symlink to /var/tmp ).

                 

                So you need to keep ensure you packet captures do not get to big, or do them from the command line as documented in Knowledge Base article KB62436

                • 5. Re: SG560 blocks port 80

                  The router is still rebooting this morning.  The DU figures are below.  I've looked into the memory allocation page.  I presume that when it says total possible then that is the total amount I can allocate to this task so I'm not sure how to improve this.

                   

                  Subsystem Maximum (%) Minimum Current
                  EnabledSystem15.00
                  EnabledConnection TrackingEnabled4.093.56
                  EnabledL2TP / PPP / PPTP0.00
                  EnabledPackets (TCP)Enabled3.4928.88
                  EnabledPackets (UDP)Enabled3.4912.86
                  EnabledRouting CacheEnabled0.01
                  EnabledTotal Used26.08
                  EnabledTotal Possible26.08

                   

                   

                  # du -ks *
                  8165    bin
                  103     boot
                  0       dev
                  1164    etc
                  1379    home
                  5577    lib
                  0       mnt
                  du: proc/7500: No such file or directory
                  du: proc/7501: No such file or directory
                  du: proc/7502: No such file or directory
                  du: proc/7503: No such file or directory
                  0       proc
                  89      sbin
                  0       sys
                  0       tmp
                  38      usr
                  192     var
                  # df /
                  Filesystem           1k-blocks      Used Available Use% Mounted on
                  /dev/mtdblock2            5312      5312         0 100% /
                  # df
                  Filesystem           1k-blocks      Used Available Use% Mounted on
                  /dev/mtdblock2            5312      5312         0 100% /
                  tmpfs                      512       196       316  38% /var
                  tmpfs                     1024       312       712  30% /etc/config

                  • 6. Re: SG560 blocks port 80

                    Do you still have this issue ?

                     

                    If so, what is the output of this command on the command line

                     

                    cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

                    • 7. Re: SG560 blocks port 80
                      cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

                      /proc/sys/net/ipv4/netfilter/ip_conntrack_count: No such file or directory

                       

                      > ls /proc/sys/net/ipv4/netfilter
                      ip_conntrack_buckets
                      ip_conntrack_generic_timeout
                      ip_conntrack_icmp_timeout
                      ip_conntrack_max
                      ip_conntrack_tcp_be_liberal
                      ip_conntrack_tcp_log_invalid
                      ip_conntrack_tcp_loose
                      ip_conntrack_tcp_max_retrans
                      ip_conntrack_tcp_timeout_close
                      ip_conntrack_tcp_timeout_close_wait
                      ip_conntrack_tcp_timeout_established
                      ip_conntrack_tcp_timeout_fin_wait
                      ip_conntrack_tcp_timeout_last_ack
                      ip_conntrack_tcp_timeout_max_retrans
                      ip_conntrack_tcp_timeout_syn_recv
                      ip_conntrack_tcp_timeout_syn_sent
                      ip_conntrack_tcp_timeout_time_wait
                      ip_conntrack_udp_timeout
                      ip_conntrack_udp_timeout_stream

                      • 8. Re: SG560 blocks port 80

                        It may only be in 4.0.6 firmware.

                         

                        Does it reboot if not connected to the LAN ?

                         

                        Remote syslogging may also be useful but if your issues persist, you should send a support report to Tech Support with a description of the issue.

                        • 9. Re: SG560 blocks port 80

                          I just checked and it is on 4.0.5

                           

                          Please upgrade the unit.

                          1 2 Previous Next