    SG560 blocks port 80

      We have an SG 560 currently running 3.1.5u1 (SecureComputing/SG560 Version 3.1.5u1  --  Fri, 22 Jun 2007 19:00:30 +1000                        Linux version 2.4.31-uc0  (build@sgbuild) (gcc version 3.3.2) #1 Fri Jun 22 20:39:01 EST 2007).


      The SG560 is configured with ADSL line connected to port B, DMZ to A2 and workstation cloud to A3.


      The first rule is Accept from port B to DMZ from any to WEBHOST port 80 - however the packets are never routed to the host in the DMZ.  Other ports in the DMZ work - such as 3389 for RDP and so forth.


      Any ideas?

          When you say rules I assume you mean the port forward type.


          If all other forwards work, and HTTP does not, and you setup the HTTP rule like the others, there is probably something else amiss.

          The UTM device has a useful diagnostic tool


          Sytem -> Diagnostics -> Packet Capture


          If you setup a capture on the LAN interface with a options field like


          -s 1500 host and tcp port 80


          where is the IP of the DMZ host you are forwarding HTTP connections too.


          If you then test, you should see packets...if you do, is the server replying ?


          If you don't then are the packets even coming in ?


          use the Internet interface this time with options


          -s 1500 tcp port 80


          You may want to disconnect internal PC's during this test, otherwise you will see all their HTTP traffic as well.

          If you do not get any incoming packets, then maybe your ISP is blocking them upstream, which is a common security(?) option


          If you need further assistance we have covered pretty well as much as we can without opening a support ticket and get the right diagnostics to tell what is occurring...and those diagnostics would be the captures mentioned above, as well asthe good old TSR



            Okay - factory reset after the upgrade to 4.0.5 and the incoming port 80 works fine. now.

              btw - when I set this packet capture up the unit became unresponsive and so I couldn't see the packet capture.

                The 560 ( like all computer systems ) has limited writable tmp disk space, and if you use a filter that captures a lot of traffic, you can fill thisspace quickly and cause the unit nto have no free /tmp space, so no PIDs can be created, so it falls over. The packet capture does not have a safety check for this at the moment.


                from the command prompt


                #df /var
                Filesystem           1k-blocks      Used Available Use% Mounted on
                tmpfs                      512       164       348  32% /var


                On the 560 it is 512K, and 1/3 of this is already full, and if you use 100% of /var  bad things happen ( /tmp is a symlink to /var/tmp ).


                So you need to keep ensure you packet captures do not get to big, or do them from the command line as documented in Knowledge Base article KB62436

                  The router is still rebooting this morning.  The DU figures are below.  I've looked into the memory allocation page.  I presume that when it says total possible then that is the total amount I can allocate to this task so I'm not sure how to improve this.


                  Subsystem Maximum (%) Minimum Current
                  EnabledConnection TrackingEnabled4.093.56
                  EnabledL2TP / PPP / PPTP0.00
                  EnabledPackets (TCP)Enabled3.4928.88
                  EnabledPackets (UDP)Enabled3.4912.86
                  EnabledRouting CacheEnabled0.01
                  EnabledTotal Used26.08
                  EnabledTotal Possible26.08



                  # du -ks *
                  8165    bin
                  103     boot
                  0       dev
                  1164    etc
                  1379    home
                  5577    lib
                  0       mnt
                  du: proc/7500: No such file or directory
                  du: proc/7501: No such file or directory
                  du: proc/7502: No such file or directory
                  du: proc/7503: No such file or directory
                  0       proc
                  89      sbin
                  0       sys
                  0       tmp
                  38      usr
                  192     var
                  # df /
                  Filesystem           1k-blocks      Used Available Use% Mounted on
                  /dev/mtdblock2            5312      5312         0 100% /
                  # df
                  Filesystem           1k-blocks      Used Available Use% Mounted on
                  /dev/mtdblock2            5312      5312         0 100% /
                  tmpfs                      512       196       316  38% /var
                  tmpfs                     1024       312       712  30% /etc/config

                    Do you still have this issue ?


                    If so, what is the output of this command on the command line


                    cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

                      cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

                      /proc/sys/net/ipv4/netfilter/ip_conntrack_count: No such file or directory


                      > ls /proc/sys/net/ipv4/netfilter

                        It may only be in 4.0.6 firmware.


                        Does it reboot if not connected to the LAN ?


                        Remote syslogging may also be useful but if your issues persist, you should send a support report to Tech Support with a description of the issue.

                          I just checked and it is on 4.0.5


                          Please upgrade the unit.

