Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: dmltv
dmltv Author
User level: Level 1
10 points

Zywall blocks clients

We run an Open Directory server on a mac mini. This mac mini is also the DNS for our VLAN (192.168.3.100-255).

On most computers the internet runs smoothly. I have, however, two computers that have intermittent problems with getting response from the DNS, because they're not retrieving webpages. I can connect with remote desktop etc. just fine though. The computers all get an IP address from the DHCP (also on the zywall)


Together with the Network guys I figured out the clients that have problems are being blocked for polling one of apple's servers too often.


Zywall Logs:

180

2016-06-14 19:46:45

alert

Security Policy Control

abnormal TCP flag attack detected, DROP

192.168.3.174:53268

17.167.146.12:443

ACCESS BLOCK

181

2016-06-14 19:46:18

alert

Security Policy Control

abnormal TCP flag attack detected, DROP

192.168.3.174:53253

17.167.146.12:443

ACCESS BLOCK

182

2016-06-14 19:46:09

alert

Security Policy Control

abnormal TCP flag attack detected, DROP

192.168.3.174:53250

17.167.146.12:443

ACCESS BLOCK

183

2016-06-14 19:46:06

alert

Security Policy Control

abnormal TCP flag attack detected, DROP

192.168.3.174:53249

17.167.146.12:443

ACCESS BLOCK

184

2016-06-14 19:46:02

alert

Security Policy Control

abnormal TCP flag attack detected, DROP

192.168.3.174:53220

17.167.146.12:443

ACCESS BLOCK

209

2016-06-14 19:35:38

alert

Security Policy Control

abnormal TCP flag attack detected, DROP

192.168.3.174:52435

17.167.146.12:443

ACCESS BLOCK

211

2016-06-14 19:35:11

alert

Security Policy Control

abnormal TCP flag attack detected, DROP

192.168.3.174:52421

17.167.146.12:443

ACCESS BLOCK


When these log entries manifest I am also not able to ping to google from these computers.

The network guy was supposed to update the firmware to the zywall tonight. ZyXEL support told us to update it to the latest build before they could help us. Apparently they are aware of the issue.


I tried the solution suggested here, but unfortunately it's not the definite solution..

http://labs.hoffmanlabs.com/node/1920


at ZyXEL's request we upgraded the firmware to the latest version. Didn't help, now it's flagging requests to 2 facebook servers in Ireland.


I've already switched off the APN setting on the server. I also disabled the reachability services. To no avail.


Getting really frustrated here and my customer as well.


I'd hate to have to get a second firewall just to block one IP address.

Posted on Jun 15, 2016 2:09 AM

Reply
1 reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
117,211 points

Jun 15, 2016 4:33 PM in response to dmltv

Those ZyXEL errors are not something that blocks access, having seen those on occasion, and disabling push notifications — which were not in use locally — avoided triggering that logging. That traffic does get dropped, and the rest of the traffic continues. They're also between the server and the firewall, and not something I'd expect to effect the clients.


As for the problem, everything is working — except for two computers? That would tend to rule out the server and the firewall, barring a firewall-specific rule that's getting triggered for the specific computers or some factor common to those two computers. I'd focus would be on what those two computers might be doing that triggers the connectivity problems, or if there's some sort of networking error involving those two computers, some sort of subnet-specific configuration issue or wiring-configuration issue or multi-path routing or such. If Wi-Fi, switch those clients to wired, check the Console.app logs for relevant errors, etc. If there's more than one network link active in Network Preferences on the problematic clients, make sure the preferred link is first or disable all secondary links. Also check the DNS server settings, as I've seen wonky DNS configurations or DNS problems cause outages, so test that and test by pinging by host address and not DNS name. DNS timeouts can make remote access appear very slow, too.


As for the errors with those messages now arising with Facebook, check back with the folks at ZyXEL.

Reply

Zywall blocks clients

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up