This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

use additional ip's in webfilter, see KB 126892

we have a SG 650 HA cluster with 4000+ users. These users access Office 365. The problem we have that we are running out of the number of ports on the external interface. The max number is 64K

The KB article describes a method to resolve this issue by using more ip's externally, based on the source address. 

We implemented this and in principle it seems to work, at least for a few hours during evening and night. In the morning during heavy load, the system stopt responding for proxy requests.

In the http.log we saw the error “cannot assign requested address”

So I suspect, there is some memory leak or table overflow somewhere. is there anybody else with the same issue ?

I created a case with Sophos support, but did not receive a satisfactory answer yet.

 

Andre



This thread was automatically locked due to age.
Parents
  • Hi addicks,

    I have enabled this feature and have had no issue, but I have fewer users than you do, but I can assign different public IP to different subnets no problem.

    One thought I did have was are you sure that the problem is this feature, if all request are being submitted to the LAN side maybe it is the "LAN side" that is running out of ports?

    have you tried moving a particular subnet to a separate port?

    It may be that the inside (LAN) interface is being overloaded, that is if you have used only one port for all internal networks.

    does that make sense?

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • without the feature all is working, except the number of ports used externally is nearly at 64K, that's why we want to use more external ip's

    Internally you don't have this port problem, because all users connect to one port, 8080

    The feature Sophos offers is good, other vendors like Bluecoat (Semantic), PaloAlto offer the same kind of features like NAT pools. Unfortunately the Sophos feature doesn't work with a heavy load.

     

    Andre Addicks

  • Following up to this and a related post, is there any way to know how many ports are in use, and whether we are close to the limit?

  • what I do is on the CLI: 

    netstat -an | grep <external ip>| wc -l

     

    this will give you all the ports in use on the external ip.

  • the other difference for me is that I use the transparent proxy and not the full proxy.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • Hallo Andre,

    You said, "Unfortunately the Sophos feature doesn't work with a heavy load."  I assume you mean cc get http enable_out_interface 1 - what doesn't work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    yes that's what I mean. What doesn't work, see my initial post. In principle the Sophos solution works, however during heavy load the http proxy stopt working. In the logs we saw the error "“cannot assign requested address", which means in my opinion something like running out of memory, memory leak, table overflow ?

     

    Andre

  • It sounds then like you're saying that conntrack is not handling the configuration correctly, and that would be a bug.  I would request escalation of your case so that a developer gets a chance to think about this.  Please let us know your result.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • It sounds then like you're saying that conntrack is not handling the configuration correctly, and that would be a bug.  I would request escalation of your case so that a developer gets a chance to think about this.  Please let us know your result.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data