2 Replies Latest reply: Feb 22, 2013 5:09 PM by sliedl RSS

    Cannot Access Internet


      Our MFE is v8.3.0  I have it in just a basic setup for testing.  I know the external side works because I can resolve DNS on Internet IP's and I can ping Internet IP's using the Tools from the Admin Console.  However none of the clients on the internal side can access the internet.  When looking in the audit monitor this is what happens:


      2013-02-22 14:52:04 -0700 f_http_proxy a_libproxycommon t_error p_major

      pid: 1675 logid: 0 cmd: 'httpp' hostname: fw.mydomain.local

      information: -13|Permission denied

      pc_conn_do_connect: can't connect server socket to address, port 80, type SOCK_STREAM


      And then I see this in the logs right after it:


      2013-02-22 15:01:04 -0700 f_http_proxy a_aclquery t_attack p_major

      pid: 1675 logid: 0 cmd: 'httpp' hostname: fw.mydomain.local

      category: policy_violation event: ACL deny attackip:

      attackzone: LAN application: <Unknown TCP> srcip:

      srcport: 49185 srczone: LAN protocol: 6 dstip:

      dstport: 80 dstzone: external rule_name: Deny All cache_hit: 1

      ssl_name: Exempt All reason: Traffic denied by policy.



      My ACL for internet access looks like this:



      I have no idea what is going on.  Right now it is a very simple setup.  Has anyone seen this permisssion denied errors before?  I also cannot update the anti-virus signatures, GEO IP database, etc.  They also return a Permission Denied error like this:


      2013-02-22 15:04:34 -0700 f_vscan a_signature_ips t_error p_major

      pid: 4777 logid: 101 cmd: 'ips_pkgmgrcmd' hostname: fw.mydomain.local

      information: Connect to signatures data host downloads.securecomputing.com failed. Error: (13, 'Permission denied')

        • 1. Re: Cannot Access Internet



          "Unknown TCP" is the problem here. This shows up when the firewall cannot identify the application, and alot of times it is when the server closes the connection early. Are you able to do tcpdumps to see what the communication looks like on the server side?





          • 2. Re: Cannot Access Internet

            Do your PC clients have proxy settings set in their browsers?


            If you run 'df' on the command-line of the firewall are any of the partitions full?