UTM 9.509-3 - Webpage Timeouts in Chrome after upgrade 9.509-3 in transparent mode

Hi

Since upgrading to 9.509-3 I have been having difficulties with random websites (amazon, scan.co.uk and others)  timing out when using Google chrome. I've inspected the logs and cannot see any issues at all. I've cleared the cookies/cache, re-installed the browser but now exhausted my options. I am in no doubt the problem lies directly with chrome as the websites have no issues in Firefox, Internet Explorer, Edge.

My setup is;

SG-210 in Transparent mode with SSO and STAS configured

When the pages time out, the following is displayed;

This error is completely random and doesn't appear on other UTMs using older firmware. It seems to break for random websites whilst still allowing me to browse others. Everything was working fine up until the upgrade.

Any ideas would be appreciated

Thanks

  • Hi,

    does this behavior with Chrome browser only happen on web sites with TLS encrytion (HTTPS)? Are you using the SSL interception of the Sophos UTM? What kind of certificate are you using (self signed or from an internal known PKI)? Which version of Chrome are you using?

    With every new version Chrome gets more and more sensitive regarding certificates so maybe there's an issue with the proxy certificate for the SSL interception.

  • In reply to TheExpert:

    Hi There,

     

    we have the same Problem. We are using an UTM SG 210 and we are not using the SSL interseption and we are only using the HTTP URL scanning. Any Brwoser is affected (Edge, IE 10, Firefox, Chrome). 

    The Webprofile is disabled and and a Firewallrule as Workaround works for us temporary. Anything works without the Webprotection, so it is not an DNS or ISP Problem. But without Webprotection is not a good solution.

     

    Regards 

     

    Chris

     

  • It is probably a coincidence but I had this problem after updating Chrome this morning - it turned out google.com's cookies were blocked in the browser. I had to remove the block in the browser advanced settings.

  • In reply to Christian Blass:

    Hallo Chris and welcome to the UTM Community!

    Can you show us the relevant line from the Web Filtering log when this occurs?

    Cheers - Bob

  • Because it has not been mentioned:

    For completeness, you need to check the Application Control log and Intrusion Protection System logs.   One would expect these to drop consistently, not intermittently, so you will probably find nothing relevant.    When these functions activate, they drop the packet, and the browser will wait before declaring a timeout.   The browser timeout entry can be up to two minutes after the IPS entry.

    The problem is more likely to be here:

    Since the problem only affects Chrome, it is probably related to Chrome's QUIC protocol, which uses UDP 443 to make https run faster.  This is my understanding of the interaction between QUIC and UTM

    • By default, UDP 443 bypasses the web proxies and is handled by firewall rules, where outbound traffic probably has an allow-all rule, so it is allowed.
    • Bob Alfson says that if you configure UDP 443 in the web proxy additional ports list, it can be handled by Transparent Mode Web Proxy.   In the absence of a statement from Sophos that they routinely test to ensure correct QUIC operation through the proxy, I am reluctant to try this, and I favor Standard Mode proxy.
    • QUIC will bypass standard mode proxy


    You have not said which of these configurations is active in your situation.   That detail may be important.

    I recommend blocking UDP 443 at the firewall, which will disable QUIC.   See if the problem goes away, and report back.

  • In reply to DouglasFoster:

    Hi

     

    Same Problem here!!

    Works with IE not with chrome

  • In reply to Thomas Dueringer:

    Disabled Quic also in chrome

  • In reply to Thomas Dueringer:

    Can you post some log samples to show that the logs are reporting a timeout and not some other condition?

  • In reply to DouglasFoster:

    Hi Douglas

     

    The timeout happens in the browser because the browser tries to open the authentication url per https.

  • In reply to Thomas Dueringer:

    I'm sorry, Thomas, I don't understand: "the browser tries to open the authentication url per https."  Can you show a relevant line from the Web Filtering log?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    the problem happens when the browser does the Transparent Mode Active Directory Single Sign On. In IE the URL for SSO looks like http://<firewall name>/auth?=fvrosigfhwohgshg. In Chrome the URL is https:<firewall name>/auth?=fvrosigfhwohgshg. Because the UTM does not listen for SSO-Auth on Https there is a timeout.

    Cheers, Julian

  • In reply to Julian R:

    That's exactly my problem and unfortunately nothing suggested so far has solved the issue.

    I have also tried to find a log entry which may shed more information but there isn't any at all. I've re-created the problem numerous times on different computers with the log windows open and filtered to the client and nothing is logged. 

     

  • In reply to Julian R:

    So, did Chrome change, or did UTM change?   

    It sounds like you are saying that UTM changed, and we have another regression in this release.   Has Support confirmed this as a bug?   

  • In reply to DouglasFoster:

    Not sure what you mean by UTM changed. 

     

    To clarify. I have this issue with one SG-210 appliance only after upgrading to 9.509-3.  I can re-create the problem on multiple computers using the upgraded SG-210. 

     

    I have another UTM which is using an earlier firmware release which i cannot replicate the issue with. Because of this i have not upgraded that UTM to 9.509-3

  • In reply to markstones:

    We are facing this problem, too. Transparent proxy with sso (AD, no STAS) causes timeouts when using Firefox. Firefox tries to authenticate using a https:// address. Internet Explorer is working fine on the same workstation.  Did anyone already open a case with Sophos?