Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 2441 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange Issue - New ISP: Some websites not working while webfilter is off

y4n3x

Sophos SG 125

UTM 9.601-5

 

Hello @ all,

 

since we have a new ISP (fiber optic) some websites (JIRA/Confluence i.e. ...atlassian.net) and ssh to our bitbucket.org repo (also atlassian owned) is not working anymore.

All other websites and ssh to other servers are working. This is the behavior if the webfilter is off.

 

If i turn webfilter on in transparent mode the websites are working but the ssh to our bitbucket repo still do not work.

 

When my notebook is connected directly to the ISP Router with the static IP or if i enable the old ISP connection in the sophos all is working fine (websites and ssh to bitbucket).

That tells me the problem is caused by the Sophos and isn't IP whitelist or new ISP related. 

 

I don't have any other stuff like DNAT/SNAT (only masquerading for internet access) or IPS enabled. 

One and only FW rule is: Internal (Network) -> Any -> Any (Allowed) 

 

What i already did:

- Checked FW logs and livelog

(nothing gets blocked as far as i can see and it would not make sense since our one and only FW rule + because its working with the other (old ISP) connection its working)

- Checked DNS resolution / Changed DNS Forwarder / Clear DNS Cache

- Tried other MTUs 

 

So it's a kind of minimal configuration and still this problem exist. I don't know where to look / what to try more here.

For me it seems like some bug or glitch at this point but maybe someone with more experience have a suggestion for me.

 

Edit: Picture of wget to see at which point it stops

 



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Yanex,

    I realize you've looked at the firewall log - what about the Intrusion Prevention log (#1 in Rulz)?

    What happens if you do a traceroute to 18.234.32.152?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    sorry for the late answer. The problem still persists. 

    I looked at the Intrusion Prevention logs, nothing there. The Traceroute is working from both ISPs. 

     

    In the meantime i tested different things and tried to set up a environment to replicate the issue.

    Now i have a working uplink balancing with both ISPs and multipath rules so i can replicate the issue while bounding traffic of port 443 to the new/old ISP.

     

    Atlassian.com and some other Websites are still only working if i bound 443 and 22 to the old ISP. I captured the packets on the new ISP Sophos Interfaces and

    did a "curl -v https://atlassian.com". This is the output:

    And the curl command from my client stops at that point:

    Edit:

    Packet Capture from Client at this Point:

    Seems like the next 3 packets from the firewall doesn't get forwarded to the client.

     

    Fragmentation needed is sometimes a MTU related issue. I already tried different values there without success.

    Do you have any other ideas?

     

    Edit 

     

    Thanks, 

    yanex

  • +1 in reply to y4n3x

    We have found the problem, the lag0 internal network interface had MTU size of 1492 instead 1500

Reply Children
No Data
Unfiltered HTML