Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Port Forwarding Not Working (Port Forwarding Not Working)
  •  
Jay_C

Messages: 6
Karma: 0
Send a private message to this user
HI All

I am at wits end. I have a port forwarding setup from internet interfaces to destination firewall with Service 443 , MAP translation my exchange mail server. This port forward works perfectly and i am able to connect to my Outlook web access.

I then have a second port forward for remote admin from internet interface to destination firewall with Service 4899 , MAP translation my test server. This port forward has stopped working. I have managed to get it to work once by duplicating the rule , and it only worked for a while. I can see the inward connection on port 4899 in the active connections list , and i can see my rule being hit with the last used , but my connection just times out.

I have tried to setup three more port forward rules with the same problem.

I also have the same issue with the VPN and the Kerio Control Web access, that all used to work. Both VPN and Kerio Control Web admin have rules from Soure Internet Interfaces , Destination Firewall and services Kerio VPN/IP Sec and Kerio control WebAdmin.

Is it possible that i have a corruption in the firewall table , as i have removed most of my other rules.

Should i restore from a backup config file?

Any suggestions will be great

Thanks
  •  
Brian Carmichael (Kerio)

Messages: 645
Karma: 65
Send a private message to this user
If you are forwarding ports to internal servers, make sure that those internal servers are pointing back to Kerio Control as their default gateway. Regarding ports that are open directly on the firewall, they should work. Make sure those rules are at the top of your traffic rules. Perhaps you have another rule that is taking priority. There is an option to test rules so you can see which rule will match the condition. Have a look at KB 1312 http://kb.kerio.com/product/kerio-control/security/configuri ng-traffic-rules-1312.html
If you're still having issues I suggest reaching out to our support team.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Jay_C

Messages: 6
Karma: 0
Send a private message to this user
Hi Brian , thank-you for the info. The port forwarding rules are right at the top of the rule list. The forwarding rule that works for the Outlook web access on 443 , is pointing to the same server as the rule for remote admin 4899 , but the remote admin rule does not work.

I am also confused by the Kerio Control WebAdmin rule as well as the Kerio VPN rule that is also right at the top of the list but also does not work. These rules are set source any , destination firewall.

I am going to reload the config from backup to see if this does any change, after that i am out of ideas.
  •  
Jay_C

Messages: 6
Karma: 0
Send a private message to this user
I have looked at the debug logs and found this information. I do not understand how the port forwarding for 443 to this server is working , but the port forwarding for 4899 is not. This is very strange for me as this has been working for 4 months.

[30/Jul/2015 11:10:00] {pktdrop} packet dropped: 3-way handshake not completed (from Internet - Int#3, proto:TCP, len:40, 92.90.20.160:30593 -> 2**.1*.3**.1**:4899, flags:[ ACK ], seq:848458769/462040473 ack:20020521, win:64239, tcplen:0)

[30/Jul/2015 11:10:00] {pktdrop} packet dropped: TCP sequence/acknowledge numbers out of window (from Internet - Int#3, proto:TCP, len:40, 92.90.20.160:30593 -> 2**.1*.3**.1**:4899, flags:[ ACK ], seq:848458769/462040473 ack:20020521, win:64240, tcplen:0)

  •  
Brian Carmichael (Kerio)

Messages: 645
Karma: 65
Send a private message to this user
Usually the 3-way handshake message indicates that there is some type of network misconfiguration. It means that Kerio Control did not receive the syn-ack part of the TCP connection. Perhaps the syn-ack response went out another gateway. In some situations, this may be permissible and you can follow the steps here http://kb.kerio.com/product/kerio-control/server-configurati on-kerio-control/modifying-parameters-in-kerio-control-confi guration-1745.html
However I recommend to double check your physical network setup so that you do not need to enable this setting as you may have other complications in the future.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Jay_C

Messages: 6
Karma: 0
Send a private message to this user
I had already tried turning off the 3-way handshake. This also did not solve my inward connections timeout. It did make the entries disappear from the dropped packet log , as well as any other 3-way handshake entries.

When a port translation takes place , does the Kerio firewall transmit the packet out of the interface that is in the subnet in which the server with that translated IP address resides ?

When the server responds to the packet , would it not respond back to the kerio interface on that subnet? The Kerio interface would now be the new source and the port translated IP address will be the destination.

My gateway is set to my core switch , and not the Kerio Control.
172.16.130.1 - Core Switch (gateway)
172.16.130.4 - Kerio Sub Interface (VLAN 13)
172.16.130.10 - Server with gateway 172.16.130.1

The core switch has a route 0.0.0.0 to the Kerio on a seperate inerface VLAN 21.

I am mostly confused how the inward SSL (443) routing is working for this server , but not remote access.

Also , i cannot get the Kerio VPN or Kerio Connect web access to work and that is simply a internet interface directly to the firewall ,with no port address translations.

[Updated on: Thu, 30 July 2015 17:53]

  •  
Brian Carmichael (Kerio)

Messages: 645
Karma: 65
Send a private message to this user
It seems that your Kerio Control has only one network interface. You need at least two interfaces that are in different subnets.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Jay_C

Messages: 6
Karma: 0
Send a private message to this user
Yip , i have a few of those ( see attached )

Still does not make sense to me why the SSL exchange connection is working , but the Kerio VPN , Kerio Web Control , Port forward for Remote Access and Port forward for web access are all not working.

I have moved the order of the rules around too just to be sure. I have duplicated the rules , created them from new. Removed them all , re-added them all. I have used ports , and also tried services.

Only the top rule is working for port 443 & 987. If i add port 4899 into that rule , the first two ports work , but not port 4899.

So confused.

  •  
Brian Carmichael (Kerio)

Messages: 645
Karma: 65
Send a private message to this user
Does Kerio Control have an Internet routable IP address? I can't tell as you've obfuscated your VSAT IP address. Based on your rules, I would say that at least the remote administration over port 4081 should work unless there is a problem with MTU settings or there is another device in front of Kerio Control that is routing the inbound traffic.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Jay_C

Messages: 6
Karma: 0
Send a private message to this user
Yes , the VSAT is a public IP address. As you can see , all the rules are getting hit on each one of my attempts by the last used time, so that tells me there is nothing blocking the traffic on the inbound side.

I had to create a new certificate recently as mine had expired. Would this prevent the remote admin from working ? I am using the remote admin from the trusted interfaces, so i would not think this is a problem.

Also i am able to establish a Kerio VPN via one of the trusted interfaces , but not via the internet interface.
  •  
Brian Carmichael (Kerio)

Messages: 645
Karma: 65
Send a private message to this user
The certificate shouldn't be an issue. There could be a routing problem (e.g., gateway on internal interface) or there could be an MTU problem. You can override the MTU value (of the VSAT interface) in the properties of the interface. Usually 1300 is a safe value.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Previous Topic: Failing PCI compliance
Next Topic: Interface ignore dns settings
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Apr 29 15:22:06 CEST 2017

Total time taken to generate the page: 0.00862 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.