My firewall (Sonicwall NSA 2400) has begun dropping the SSH response from my remote linux server. When I initiate an SSH session from my internal IP it times out, and when I look at the firewall log, I see the following:
TCP connection dropped
source (remote Linux server IP), port 1200, interface X1
destination: (my internal IP), port 65050, interface X0
notes: TCP Port: 65050
Subsequent attempts fail, always with a different internal destination port. What am I missing here? I haven't added any rules to the Sonicwall's firewall, but the Linux server's SSHD (Ubuntu 10.10) has recently been updated.
Update:
A packet dump reveals that the packet's being dropped due to an invalid TCP flag.
IP Type: TCP(0x6), Src=[source ip], Dst=[10.10.10.11]
TCP Packet Header
TCP Flags = [RST,], Src=[1200], Dst=[51150], Checksum=0x76d7
Application Header
Not Known
Value:[0]
DROPPED, Drop Code: 22, Module Id: 26, (Ref.Id: _3694_uyHtJcpfngKrRmv) 1:1)
Hex:
0017c519 be3d0090 1a422c89 08004500 002c0000 00001606 *.....=...B,...E..,......*
82a34e10 18c10a0a 0a0b04b0 c7ce6c45 9d910000 00005004 *..N...........lE......P.*
000076d7 00007366 7463 *..v...sftc *
Does this mean that the Sonicwall's just being unusually fussy, or that something's misconfigured on the remote server? I can connect to it from a different remote LAN without any problem.
Best Answer
Ahh, the joys of figuring out why the bloody Sonicwall drops packets. Welcome to owning an NSA appliance.
First off, point at that drop message in the Sonicwall's admin page. You should see a pop up message, and included in that will be a 'message ID'. You can cross reference that value with the Drop Codes listed here (for firmware version 5.6.0.x). If you're using an older firmware, here's version 5.5.0.x or version 4.2.0.x. The codes are pretty vague, but it might help you get on the right path.
Alternately, you can do a packet dump, and the drop code and module ID will be listed in the packet capture interface when you look at the dropped packet.
--Christopher Karel