Guest WIFI network not working properly. Some apps not receiving data.

Equipment:

Sophos Firewall SG230 (UTM9)

Firmware version: 9.701-6

Access point AP-15 

 

Issue:

I have connected several AP to my network, generated 2 wifi networks, 1 bridged to my LAN working fine and another (guest wifi) in a separate zone:

The devices (mostly mobile phones) connect to this network with no problem. The web surfing works great, no problem at all. I have this firewall rule:

I detected a problem with Iphone activation, it throws an "activation server is unavailable". If I connect to another wifi it works fine. After this incident I have detected some more abnormal behaviour:

1.- Twitter app doesn't update, but the notification works. After opening the app the updating icon moves until a message appear "Cannot retrieve messages at this time, please try again later."

 

2.- Netflix app doesn't work. You can choose your profile but after that it shows nothing. (screenshot below)

The weird thing is that I can login to twitter or watch netflix from a web browser in a device connected to the same wifi (guest). So it clearly is a problem with the mobile apps.

Any hints to solve this problem?

 

Thanks in advance.

 

  • Hi  

    Have you checked the packetfilter.log at the time when the issue happens? I assume you are not applying web filtering on the Separate zone network. If you have applied Web Filtering, what do you see there?

  • In reply to Jaydeep:

    Yes, I've checked packetfilter.log, and there is a something I don't understand (but IMO not related with the issue), this (my phone is 10.10.10.9):

    But after those DROP all seems working fine:

    If I open Twitter or Netflix I don't see anything about in the log. 

     

    I'm not applying web filtering on the guest wifi network.

     

     

  • In reply to Josema:

    Have you configured Anti-DoS/Flooding in UTM? It looks like a reason for those drops.

  • In reply to Jaydeep:

    Hi Jaydeep,

     

    No Anti-DoS/Flooding:

    Some "Attack patterns" checked:

    I have unchecked all to test and no change. 

  • In reply to Josema:

    IPS settings look alright to me.

    I suspect this might be with CDN networks for the Apps. But it would require to look into tcpdump of the traffic when the issue occurs. Please capture a PCAP of the iPhone from UTM 9 as per this article Sophos UTM: How to capture packets and download the Packet Capture. Check it in Wireshark and see if anything comes up.

  • In reply to Jaydeep:

    I have done this test with an android phone and Netflix app.

     

    I think this is the interesting part but don't know interpret it:

     

    I have uploaded the file to https://ufile.io/hgapu2ds

  • "activation server is unavailable".

    I believe this is a known issue with iPhones and Sophos Wireless Protection, but I don't think they've identified the cause yet.  Jaydeep?

    Cheers - Bob

    PS Moving this thread to the Wireless Protection forum.

  • In reply to BAlfson:

    Hi, it's not only an issue with Iphones, I've pointed some issues with apps like Twitter and Netflix on Android. 

     

    Another data, I have 2 wifi networks, 1 is bridged to AP_LAN

    The other is the guest network i've been talking about. May be the cause of the problem being both wifi networks sharing the vlan? Would it be better bridge both of them to Vlan?

  • In reply to Josema:

    Ok, more info. 

    I have created a new wifi network bridged to VLAN.

    I've connected 1 acces point to the same VLAN (100) and activated VLAN tagging:

    The VLAN 100 has the same firewall config as the guest wifi network (the problematic one)

    This way, the wifi network bridged to VLAN works perfect, Iphone, Android, all apps, no problem. 

     

    So the problem is clearly in the separate zone created by Sophos. 

     

    Now the problem is I can't add the bridget to LAN wireless network to the ap due to vlan tagging, but this is another problem.