Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 18985 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filtering issues since 9.4 update, home license and box, HTTPS traffic

JohnSmith4

Hey all,

I wonder if anyone else is experiencing similar issues since last upgrade to 9.402-7.

Simply on many sites with HTTPS i have long delay when opening the site, sometimes it just time outs, often it says that DNS could not resolve it, and sometimes site loads in broken state (parts missing, distorted etc). It seems to be like that for 2-3 refreshes than it eventually loads. It happens for many different site on 3 different computers in my household and common thing is that we use Chrome. But when I disable Web Filtering on the UTM it all magically starts working quickly and with no problems?...

Is there a known problem with Web Filtering or there is configuration change somewhere I am not aware of?

Any help would be appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    Are the users here still having this issue?  I've been having issue since around this upgrade with SSL connections if 'Web Filtering' is turned off.  Which is very odd.  I've done several Wireshark captures and Sophos is sending TCP Resets to many SSL connections if I ONLY have the FW on.  Once I turn on Web Filtering things work.  This is causing issues with several streaming services since I like to put the hosts in the Web Filtering By Pass.  

     

    I don't use DNSSEC and have one rule to allow everything outbound. 

  • 0 in reply to Brett Hansen

    Hi, Brett, and welcome to the UTM Community!

    I don't know enough about TCP to know which timeout might need to be increased.  You can see the current values with

    cc get packetfilter timeouts

    If  the problem were ip_conntrack_tcp_timeout_last_ack at 30, you could increase this to 60 with

    cc set packetfilter timeouts ip_conntrack_tcp_timeout_last_ack 60

    If you find the correct parameter change, please post your result back here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Brett Hansen

    Hi, Brett, and welcome to the UTM Community!

    I don't know enough about TCP to know which timeout might need to be increased.  You can see the current values with

    cc get packetfilter timeouts

    If  the problem were ip_conntrack_tcp_timeout_last_ack at 30, you could increase this to 60 with

    cc set packetfilter timeouts ip_conntrack_tcp_timeout_last_ack 60

    If you find the correct parameter change, please post your result back here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML