UTM 9.509-3 - Webpage Timeouts in Chrome after upgrade 9.509-3 in transparent mode

Hi,

does this behavior with Chrome browser only happen on web sites with TLS encrytion (HTTPS)? Are you using the SSL interception of the Sophos UTM? What kind of certificate are you using (self signed or from an internal known PKI)? Which version of Chrome are you using?

With every new version Chrome gets more and more sensitive regarding certificates so maybe there's an issue with the proxy certificate for the SSL interception.

Hi There,

we have the same Problem. We are using an UTM SG 210 and we are not using the SSL interseption and we are only using the HTTP URL scanning. Any Brwoser is affected (Edge, IE 10, Firefox, Chrome). 

The Webprofile is disabled and and a Firewallrule as Workaround works for us temporary. Anything works without the Webprotection, so it is not an DNS or ISP Problem. But without Webprotection is not a good solution.

Regards 

Chris

It is probably a coincidence but I had this problem after updating Chrome this morning - it turned out google.com's cookies were blocked in the browser. I had to remove the block in the browser advanced settings.

Hallo Chris and welcome to the UTM Community!

Can you show us the relevant line from the Web Filtering log when this occurs?

Cheers - Bob

Because it has not been mentioned:

For completeness, you need to check the Application Control log and Intrusion Protection System logs.   One would expect these to drop consistently, not intermittently, so you will probably find nothing relevant.    When these functions activate, they drop the packet, and the browser will wait before declaring a timeout.   The browser timeout entry can be up to two minutes after the IPS entry.

The problem is more likely to be here:

Since the problem only affects Chrome, it is probably related to Chrome's QUIC protocol, which uses UDP 443 to make https run faster.  This is my understanding of the interaction between QUIC and UTM

• By default, UDP 443 bypasses the web proxies and is handled by firewall rules, where outbound traffic probably has an allow-all rule, so it is allowed.
• Bob Alfson says that if you configure UDP 443 in the web proxy additional ports list, it can be handled by Transparent Mode Web Proxy.   In the absence of a statement from Sophos that they routinely test to ensure correct QUIC operation through the proxy, I am reluctant to try this, and I favor Standard Mode proxy.
• QUIC will bypass standard mode proxy

You have not said which of these configurations is active in your situation.   That detail may be important.

I recommend blocking UDP 443 at the firewall, which will disable QUIC.   See if the problem goes away, and report back.

Hi

Same Problem here!!

Works with IE not with chrome

Disabled Quic also in chrome

Can you post some log samples to show that the logs are reporting a timeout and not some other condition?

Hi Douglas

The timeout happens in the browser because the browser tries to open the authentication url per https.

I'm sorry, Thomas, I don't understand: "the browser tries to open the authentication url per https."  Can you show a relevant line from the Web Filtering log?

Cheers - Bob