AnsweredFortigate 60E - "connection refused" for incoming traffic to VIP ports

Author
TechSupport4415
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/02 07:03:19
  • Status: offline
2017/11/14 08:07:48 (permalink) 5.6
0

Fortigate 60E - "connection refused" for incoming traffic to VIP ports

ROUTER: FGT60E
Firmware: v5.6.2 build1486(GA)
 
Problem: incoming traffic towards internal mail server (i.e. ports 25, 143, 993, 995 etc.) has flowed normally for several days after router installation and configuration.
 
It happened twice as of today that the router started blocking incoming traffic without apparent reason - looks like it sometimes lets traffic actually flow, as the incoming mail is slowed by several minutes to hours and then finally manages to sneak in, although with a heavy delay.
 
This is an example of a reply from a connection attempt to port 25 SMTP:
 
> telnet mail.customer.com 25
Trying 123.456.789.74...
Connected to mail.customer.com
Escape character is '^]'.
421 4.7.0 Connection refused
Connection closed by foreign host.
 
Is there a way to understand WHY is this traffic is blocked? I tried to have blocked traffic logged and displayed, but didn't manage to do it.
 
The first time it happened we remotely rebooted the router, and it got back to a normal state, i.e. we could connect to port 25 SMTP without delays.
 
Any idea and/or has it happened to somebody else?
 
 
 
#1
emnoc
Expert Member
  • Total Posts : 4360
  • Scores: 249
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate 60E - "connection refused" for incoming traffic to VIP ports 2017/11/14 08:53:44 (permalink) ☼ Best Answerby TechSupport4415 2017/11/14 09:33:37
5 (1)
My take, that  400 message came from the SMTP server so that's a good sign.  At this point your NOT blocked.
 
Now what might  be happening is  a  "SMTP-servers" has a connection limits based on the src_ip.
 
Let review your policy, 1: you say VIP do you have a SNAT on that and 2: are you SRCNAT'ing all mail-senders behind  a src_ip? 3: does you mail server have logs 4: does those logs show the same client or sessions counts limits?
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#2
TechSupport4415
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/02 07:03:19
  • Status: offline
Re: Fortigate 60E - "connection refused" for incoming traffic to VIP ports 2017/11/14 09:33:25 (permalink)
0
Hi emnoc, thanks for the quick reply.
 
Do you think that message could come from the mail server instead? I have trouble checking there because the software has been somewhat damaged in the last few months, showing few / truncated logs, and we didn't fix it because we are moving the service to the Cloud in the next weeks. But, I could check the historical logs on disk, they could be more complete.
 
UPDATE: looks like you hit the target.
 
I have a bunch of "dynamic screening" messages in the disk logs, citing the firewall as the source... dynamic screening blocks for 30 minutes any "curious" traffic, but it never blocks internal (private) IPs.. they are all excluded by default.
 
... except, this customer used public IPs for his internal LAN! So the LAN-side IP of the firewall was blocked for 30 minutes at a time...
 
RESOLVED - THANKS A LOT! :)
#3
emnoc
Expert Member
  • Total Posts : 4360
  • Scores: 249
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate 60E - "connection refused" for incoming traffic to VIP ports 2017/11/14 11:49:34 (permalink)
0
NP,  and yes that message is driven by the mail-server good luck you found the issues.

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#4
Jump to:
© 2017 APG vNext Commercial Version 5.5