This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG210 stops passing https traffic

We have an SG210 currently running fw version 9.605-1 but the problem has been happening for more than a year so I don't really think the fw version is important. What happens is at random times web traffic just completely stops and sites time out. We are not using decrypt and scan for https traffic. I've tried disabling web filtering completely, as well as IPS, virus scanning, and ATP one at time and all at once but it still drops out. The problem seems to very random it can happen 2 or three times a day or once every two three weeks. To get it back up I can either reboot the utm, disable the WAN interface /or pull the WAN cable for about 20 - 30 seconds and everything goes back to normal. The live logs don't really show much when it's happening other that a bunch of sites timing out. The problem only pops up during working hours and I can't get much troubleshooting in with the phone ringing off the hook and people coming to my office to tell me its down again. Has anyone else had this problem or have any suggestions on what to look at?



This thread was automatically locked due to age.
Parents
  • Hi and welcome to the UTM Community!

    Dirk's suggestion is what I favor.  Sometimes, an ISP's equipment "swears" with a UTM.  Before replacing the ISP's equipment, try #7.7 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for your input, we have a  500/50 fiber internet connection so our UTM is connected to an ONT that I can't get into or change any settings on so I have the WAN interface on our side set to auto negotiate. I currently have an unmanaged gig switch in between the UTM and the ONT as was suggested above. It's been up for a couple days now, of course I've seen it work for weeks at a time before but fingers crossed.

  • In your situation, that's the only solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Well after no problems for over a week she dropped out again this afternoon. Just like before it seems to mostly just affect https traffic. Someone asked earlier if I could ping the ISP gateway and I was able to with no issues while it was acting up. I could also load http websites and I could still ping remote computers that are connected to our openvpn server. I opened the live log for web filtering while it was acting up and it was full of "blocked" requests with message="Write error on the epoll handler 611 (Broken pipe). I had people in the conference room in the middle of a webinar so I didn't have much time to troubleshoot it and just pulled the WAN cable for about 20 seconds since that has proven to be faster than rebooting SG. Anyway, appreciate everyone's input so far, open to any and all suggestions.

  • Do you learn anything from doing #1 in Rulz (last updated 2019-04-17)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
  • I've saved the logs from the day of the most recent issue. Going through them as I have time, probably won't make much progress today, Mondays are the worst. Thanks for your help.

  • Not getting anywhere on my own, opened a support ticket this morning, I'm sure they'll get it sorted out.

  • In case anyone was curious how this turned out, I have been working with SOPHOS support since the last time I posted. We didn't come up with anything that helped so they overnighted me another unit last week to rule out a hardware issue, but we are still experiencing the same problem. So I decided to try running Wireshark on the WAN side of the SG to see if I could figure anything out when the issue was actually happening. Had to purchase a small managed switch out of mine pocket to do it since we didn't have any extra that were gigabit. So Monday we had the issue 3 times and I got captures of all of them. What I found was when we are having the issue of not being able to load any https sites we are sending out tons of TCP Retransmission packets from our IP destined to tcp port 443. When we aren't having the problem you only seen them sporadically but when it's happening its big blocks of consecutive lines. I'm thinking this means our requests aren't getting to their destination (dropped/ lost) or the acks are getting dropped/lost outside our network. Contacted our ISP and gave them the pcap but not getting anywhere with them.