Https server responded, but client never received. What could be the causes?
khuang
Newbie ✭
Hello all,
I couldn't https connect to the sonicwall firewall from WAN and always received timeout error.
I looked into the packets and found that the firewall (158.x.x.x) did received the request and responded with SYN, ACK (see the first pic below). However, in the 2nd pic below you can see on my computer (67.x.x.x) wireshark never received the SYN, ACK packets. It only shows my computer kept sending SYN requests.
On the 3rd pic it shows that eventually the firewall sent RST, ACK packet to disconnect, and wireshark shows my computer received it (the 4th pic).
So that's the questions:
1. How come my computer can receive the RST, ACK packets but not the SYN, ACK packets?
2. On the 1st pic it shows the firewall "GENERATED" SYN,ACK packet. Does the "GENERATED" status mean the packet has been sent and not dropped or blocked by the firewall?
Thanks a lot.
Answers
Is anything actually running on TCP port 443 on the WAN interface of the Sonicwall? By default no.
I believe no. I reset the firewall and only had the interfaces setup. I didn't do anything.
Than I'm not sure what you're expecting to receive other than a RST packet from a closed port on a device...
Sorry I should've explained it clearer. The 443 port is open as you see the pic below. So in my first post you can see the firewall did received request and responded with SYN, ACK message in the first pic, but my computer never received it (2nd pic).
Thank you.
@khuang
Are you sure the 443 is the port you assigned to access the Firewall?
Navigate to the Firewall-->System-->Administration & check the Web Management Settings.
Hi @khamxay
Please check Wan to Wan "Management" access rules. is there assigned ip addresses for management connection?
if yoıu are connecting from lan network. you should check access rules and nat rules for source address object fields. I think somebody assigned an address object on the rule settings
Hi thank you.
I am sure I've enabled the HTTPs port 443. See pic below.
Hi thanks. It's assigned to ANY source. See the pic below:
I am connecting from WAN to the firewall. :-(
@khuang
Can you change the current WAN interface MTU value and try.
For example if the current value is 1500, change to 1492 or lower and try.
Or use the PMTU diagnostic tool to identify the MTU for your WAN interface.
Is your ISP blocking HTTPS traffic to your IP? Nmap to your IP (sorry you didn't hide them all) shows port 443 is filtered.
Thank you. Which IP do you mean? 67.x.x.x or 158.x.x.x. Could you give more information? The 67.x.x.x is the ISP gateway through it I connect to the Internet from home. The 158.x.x.x one is the sonicwall firewall located inside a campus network.
That might explain...
Thank you very much.
It was 158.x.x.x.
I didn't get it, you said that "I couldn't https connect to the sonicwall firewall from WAN and always received timeout error. "
But last message "I am connecting from WAN to the firewall. :-("
Thank you. Checking now and will keep you updated.
Thank you.
Yes subnet mask 23 is correct. This information was given by our school network technician. I don't think it makes difference as the firewall's ip and the gateway's ip only differ at the last octet.
Yes I couldn't https connect to the firewall from WAN when I "was attempting" to connect to it. I never successfully connected to it.
Thanks.
Im guessing because you are on a school's network that they are blocking TCP 443 for good reason and will never unblock it.
That's what make things weird. The school told me that they didn't block port 443 to the firewall and as you saw in the pics the firewall did receive and respond the Https requests from my home computer. This means that 443 is not blocked. Then, why I couldn't receive the responses sent by the firewall?
Right, evidence indicates they are not blocking inbound port 443, but something is filtering replies and I'm gonna guess it's the school.
Thank you. Is there a way or tool to tell if a gateway/firewall is blocking our respond traffic? Clearly the gateway/firewall is not blocking inbound traffic to my firewall.
could you directly connect to laptop from wan interface and laptap should be assigned as gw ip address and try to connect wan interface? if you can connect to the wan this scenario you have a university network problem you should talk to network technician or network admins.
Best regarads.
Hi KHUANG
I have the same problem in my TZ370 firewall, but I'm able to connect the sslvpn through Net-extender Application via wan ip.
But when I'm trying to connect sslvpn through web browser then its showing "system error".
Did packet monitor and found that the packet get generated and consumed.
Can anyone have solution??/