Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Outage on MySophos and Partner Portal. You may contact Sophos Support through Phone.

Just a question of comprehension - firewall and blocked domains

Hi all,

I have a sophos utm 9 with the lastest UTM. I have a  question of comprehension.
Everything on the UTM is deactivated. The only thing "on" is firewall. 
Here, I have the default rules for email web, etc. nothing special.

But I wonder, why certain specific domains are blocked (connection reset) randomly, but they work correctly over mobile access.
As I understand a firewall, its just handling the ports, not blocking special or specific domain names. 
One of the blocked domains is for example: https://www.openproject.org
Today the domain works, yesterday it was blocked.

Any hints on that?

What I also really hate is, that the UTM is making my network "really" slow.
When I call a certain website over mobile (4G) its there in lets say one to two seconds.

If I call the same(!) website over my network ( PC -> netgear switch -> UTM -> cable modem) it takes about 10 to 20 seconds and mostly running into timeout.
Even though my cable connection is 100Mbit. everything is in subnet 192.168.0.0

Any ways to speed that up?

Those prpoblem do not really help to become a fan of sophos firewalls.

  • Hello.  First things first.  If you bypass your internal switch and plug directly into the UTM, do you still experience this issue? 

    Additionally, here's what I would do.  Open two SSH sessions to the UTM.  Run a packet capture on each session, 1 being against your LAN port and the IP address of www.openproject.org (eg. tcpdump -ni eth1 host 104.199.89.183) and the other against your WAN port (eg. tcpdump -ni eth0 host 104.199.89.183).  Doing this should narrow down the issue to the LAN or the WAN side.  Feel free to try this out and let us know the results.

    Tim

  • In reply to TimHansen:

    Cheers Tim!

    Surprisingly openproject is working now ... crazy!

    But I have the same problem with arte.tv -> 212.95.74.37

    TimHansen

    Hello.  First things first.  If you bypass your internal switch and plug directly into the UTM, do you still experience this issue? 

    Yes!

    TimHansen

    Additionally, here's what I would do.  Open two SSH sessions to the UTM.  Run a packet capture on each session, 1 being against your LAN port and the IP address of www.openproject.org (eg. tcpdump -ni eth1 host 104.199.89.183) and the other against your WAN port (eg. tcpdump -ni eth0 host 104.199.89.183).  Doing this should narrow down the issue to the LAN or the WAN side.  Feel free to try this out and let us know the results.

    Tim

    ok first dump I found suspicios things ...

    eth1

    firewall:/root # tcpdump -ni eth1 host 212.95.74.37 -v

    17:59:34.009436 IP (tos 0xc0, ttl 64, id 46075, offset 0, flags [none], proto ICMP (1), length 576)
    192.168.1.2 > 212.95.74.37: ICMP 192.168.1.2 unreachable - need to frag (mtu 1300), length 556
    IP (tos 0x0, ttl 54, id 6791, offset 0, flags [DF], proto TCP (6), length 2828)
    212.95.74.37.443 > 192.168.1.2.51000: Flags [.], seq 1:2777, ack 518, win 235, options [nop,nop,TS val 2793534933 ecr 3838672791], length 2776

    eth0
    firewall:/root # tcpdump -ni eth0 host 212.95.74.37 -v
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    18:04:32.798622 IP (tos 0x0, ttl 64, id 22048, offset 0, flags [DF], proto TCP (6), length 60)
     192.168.0.37.51156 > 212.95.74.37.443: Flags Sleep, cksum 0x9dbc (correct), seq 1301499407, win 29200, options [mss 1460,sackOK,TS val 3838971612 ecr 0,nop,wscale 7], length 0
    18:04:32.822401 IP (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    212.95.74.37.443 > 192.168.0.37.51156: Flags [S.], cksum 0x87ca (correct), seq 1433638399, ack 1301499408, win 28960, options [mss 1400,sackOK,TS val 2793833747 ecr 3838971612,nop,wscale 7], length 0
    18:04:32.822645 IP (tos 0x0, ttl 64, id 22049, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.0.37.51156 > 212.95.74.37.443: Flags [.], cksum 0x267e (correct), ack 1, win 229, options [nop,nop,TS val 3838971636 ecr 2793833747], length 0
    18:04:32.822864 IP (tos 0x0, ttl 64, id 22050, offset 0, flags [DF], proto TCP (6), length 569)
    192.168.0.37.51156 > 212.95.74.37.443: Flags [P.], cksum 0xcf93 (correct), seq 1:518, ack 1, win 229, options [nop,nop,TS val 3838971637 ecr 2793833747], length 517
    18:04:32.848675 IP (tos 0x0, ttl 53, id 4907, offset 0, flags [DF], proto TCP (6), length 52)
    212.95.74.37.443 > 192.168.0.37.51156: Flags [.], cksum 0x2458 (correct), ack 518, win 235, options [nop,nop,TS val 2793833773 ecr 3838971637], length 0
    18:04:32.854991 IP (tos 0x0, ttl 53, id 4911, offset 0, flags [DF], proto TCP (6), length 1225)
    212.95.74.37.443 > 192.168.0.37.51156: Flags [P.], cksum 0xce03 (correct), seq 4165:5338, ack 518, win 235, options [nop,nop,TS val 2793833779 ecr 3838971637], length 1173
    18:04:32.855182 IP (tos 0x0, ttl 64, id 22051, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.0.37.51156 > 212.95.74.37.443: Flags [.], cksum 0xf20b (correct), ack 1, win 251, options [nop,nop,TS val 3838971669 ecr 2793833773,nop,nop,sack 1 {4165:5338}], length 0
    18:05:02.823297 IP (tos 0x0, ttl 64, id 22052, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.0.37.51156 > 212.95.74.37.443: Flags [F.], cksum 0x7cfa (correct), seq 518, ack 1, win 251, options [nop,nop,TS val 3839001637 ecr 2793833773,nop,nop,sack 1 {4165:5338}], length 0
    18:05:02.823969 IP (tos 0x0, ttl 64, id 59559, offset 0, flags [DF], proto TCP (6), length 60)
     192.168.0.37.51160 > 212.95.74.37.443: Flags Sleep, cksum 0x334a (correct), seq 3013598502, win 29200, options [mss 1460,sackOK,TS val 3839001638 ecr 0,nop,wscale 7], length 0
    18:05:02.849379 IP (tos 0x0, ttl 53, id 4922, offset 0, flags [DF], proto TCP (6), length 52)
    212.95.74.37.443 > 192.168.0.37.51156: Flags [F.], cksum 0x251c (correct), seq 5338, ack 519, win 235, options [nop,nop,TS val 2793863773 ecr 3839001637], length 0
    18:05:02.849615 IP (tos 0x0, ttl 64, id 38269, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.0.37.51156 > 212.95.74.37.443: Flags [R], cksum 0x6955 (correct), seq 1301499926, win 0, length 0
    18:05:02.850078 IP (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    212.95.74.37.443 > 192.168.0.37.51160: Flags [S.], cksum 0xa5ec (correct), seq 1227793508, ack 3013598503, win 28960, options [mss 1400,sackOK,TS val 2793863774 ecr 3839001638,nop,wscale 7], length 0
    18:05:02.850368 IP (tos 0x0, ttl 64, id 59560, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.0.37.51160 > 212.95.74.37.443: Flags [.], cksum 0x449e (correct), ack 1, win 229, options [nop,nop,TS val 3839001664 ecr 2793863774], length 0
    18:05:02.851046 IP (tos 0x0, ttl 64, id 59561, offset 0, flags [DF], proto TCP (6), length 569)
    192.168.0.37.51160 > 212.95.74.37.443: Flags [P.], cksum 0x751b (correct), seq 1:518, ack 1, win 229, options [nop,nop,TS val 3839001665 ecr 2793863774], length 517
    18:05:02.879821 IP (tos 0x0, ttl 53, id 24082, offset 0, flags [DF], proto TCP (6), length 52)
    212.95.74.37.443 > 192.168.0.37.51160: Flags [.], cksum 0x4274 (correct), ack 518, win 235, options [nop,nop,TS val 2793863804 ecr 3839001665], length 0
    18:05:02.885863 IP (tos 0x0, ttl 53, id 24086, offset 0, flags [DF], proto TCP (6), length 1225)
    212.95.74.37.443 > 192.168.0.37.51160: Flags [P.], cksum 0x1fa9 (correct), seq 4165:5338, ack 518, win 235, options [nop,nop,TS val 2793863810 ecr 3839001665], length 1173
    18:05:02.886098 IP (tos 0x0, ttl 64, id 59562, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.0.37.51160 > 212.95.74.37.443: Flags [.], cksum 0x0be5 (correct), ack 1, win 251, options [nop,nop,TS val 3839001700 ecr 2793863804,nop,nop,sack 1 {4165:5338}], length 0
     
    Do you need the full stack?
    It's quite long .....
     
     
  • Hi Si Tso,

    It sounds like you will want to consult DNS best practice.

    Cheers - Bob

  • In reply to Si Tso:

    Hmmm, it looks like the two packet captures were taken at different times?  

    The captures should be run on 2 separate SSH sessions at the same time.  We would expect to see pack in LAN, packet out WAN, packet in WAN, packet out LAN and so on and so forth.  Also, make sure when running the capture that the problem actually does occur.  It won't benefit anyone if we're looking at a packet capture when the problem isn't happening.  

    Tim

  • In reply to TimHansen:

    Hi,

    it seems there is a great lack of knowledge on my side. So please bear with me. No offence.
    I am continously upgrading my knowledge by reading here in the forum. Smile

    Is there any HowTo for setting up the Sophos 120 for *Home* use?

    For example, I have no internal DNS, so I think  most points for the "DNS Best practicies" are obsolete in my eyes , only ;-) 

    So I think I have to go back to the beginning and start with reading ...

  • In reply to Si Tso:

    You will want to do 1 & 2 in DNS Best Practice and maybe 8.  The others don't apply unless you have something like a Windows server supplying DHCP and DNS services.  That post also may explain that slowness can be caused by forcing the use of the root name servers.  Since you're not using Web Filtering, DNS configuration issues could also cause the apparent blocks by FQDN.

    Cheers - Bob