Internet outage every xx minutes

Hello

 

i'm new in the company and they have here installed 2 XG firewalls( HA )

 

Every XX minute there is a internet outage for the whole site , and after 30 -60 seconds internet is back , this repeats every time.

 

What i already see and tested 

If i ping google.com - t   before  the outage then it resolve the ip addres and have correct ping's

If i ping google.com -t  when there is a outage , it resolve the ip address but have time outs on the ping , when the internet come's back then i have correct pings

 

Also strange thing : if there is a internet outage on a  TS session , then it is possible that on the local machine there is no outage

It's never the whole site in once , but the most works on a TS-server so all the people who work on this machine have on the same time this problem.

 

The company who delivers the firewall can't also find the problem ( they told they take contact with sophos) and the situation like this is already more then a Year.

 

Someone a  idea where the problem could be ??

  • Hi  

    During Internet outage you may check the packet request on firewall and drop on firewall.

    You may check the traffic or packet request via CLI command:

    console > tcpdump 'host X.X.X.X.

    where X.X.X.X is the destination server or machine IP.

    Command for drop packet

    console > drop 'host X.X.X.X

    As the whole site in a once not having this problem, it could be due to packet loss or drop on ISP due to high bandwidth usage.

    In packet request above if XG forwarding packets out and no reply from ISP then further you may verify the ISP usage and why no reply to that packet from upstream cloud etc.

  • Is the link on the port going down? Is this on the WAN side only or is the firewall unreachable on the LAN side as well?

    I'd also look in the logfiles of the switches the firewalls are connected to (e.g. some weird spanning tree stuff; arp stuff).

    Check all logs that have something to do with HA.

    https://community.sophos.com/kb/en-us/132211

     

    Finally I'd open a ticke with Sophos

  • Hello

     

     

    i looked at MTU = this is on 1500

     

    Checked the Drop packet in console , there i see some drop packet to the 10.x.x.x host

    but don't know if this is correct

     

    if there is a outage i can always reach the firewall on Lan side

  • In reply to helmut willems:

    So 

     

    When i do :  show network interfaces  in  console

     

    i see on PORT 1  RX State : 10264 packets dropped.

     

    Can this be something ?

     

  • In reply to helmut willems:

    Hi  

    If it is getting increased gradually this could be one of the possible reason.

    To fix it you may change the cable or remote end switch port or setting up the speed manually on both the end etc.

  • In reply to Vishal_R:

    also when i do

    drop-packet-capture interface Port1 

    i see lots of drop packets but als ip addresses who call ip on other subnet (who don't exist at the campus)

     

    2019-12-02 15:09:41 0544021 IP 10.0.0.213.61400 > 192.168.1.16.55855 : proto UDP: packet len: 60 checksum : 905
    0x0000: 4500 0050 81c4 0000 8011 ec4b 0a00 00d5 E..P.......K....
    0x0010: c0a8 0110 efd8 da2f 003c 0389 6000 0000 ......./.<..`...
    0x0020: 0000 3b15 2001 0000 2851 7ae4 287e 1027 ..;.....(Qz.(~.'
    0x0030: ab38 f845 2001 0000 2851 7ae4 28c8 25d0 .8.E....(Qz.(.%.
    0x0040: 9277 1664 0104 e738 82fb 0404 0100 0000 .w.d...8........
    Date=2019-12-02 Time=15:09:41 log_id=0544021 log_type=Content_Filter log_component=Application_Filter log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=2 source_mac=f4:d1:08:59:a4:25 dest_mac=00:e0:20:11:0a:36 l3_protocol=IP source_ip=10.0.0.213 dest_ip=192.168.1.16 l4_protocol=UDP source_port=61400 dest_port=55855 fw_rule_id=1 policytype=1 live_userid=10556 userid=136 user_gp=11 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=7 app_category_id=7 app_id=50 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=88 gateway_offset=1 max_session_bytes=0 drop_fix=0 ctflags=33554698 connid=1555927344 masterid=0 status=264 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2019-12-02 15:09:41 0544021 IP 10.0.0.213.61400 > 109.136.233.155.55855 : proto UDP: packet len: 60 checksum : 28189
    0x0000: 4500 0050 8bf7 0000 8011 4cad 0a00 00d5 E..P......L.....
    0x0010: 6d88 e99b efd8 da2f 003c 6e1d 6000 0000 m....../.<n.`...
    0x0020: 0000 3b15 2001 0000 2851 7ae4 287e 1027 ..;.....(Qz.(~.'
    0x0030: ab38 f845 2001 0000 2851 7ae4 28c8 25d0 .8.E....(Qz.(.%.
    0x0040: 9277 1664 0104 e738 82fb 0404 0100 0000 .w.d...8........
    Date=2019-12-02 Time=15:09:41 log_id=0544021 log_type=Content_Filter log_component=Application_Filter log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=2 source_mac=f4:d1:08:59:a4:25 dest_mac=00:e0:20:11:0a:36 l3_protocol=IP source_ip=10.0.0.213 dest_ip=109.136.233.155 l4_protocol=UDP source_port=61400 dest_port=55855 fw_rule_id=1 policytype=1 live_userid=10556 userid=136 user_gp=11 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=7 app_category_id=7 app_id=50 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=88 gateway_offset=1 max_session_bytes=0 drop_fix=0 ctflags=33554698 connid=1998453632 masterid=0 status=264 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

  • Hello  

    Seeing that you are mentioning TS, I am presuming you are stating "terminal services".  

    If this is correct, can you let me know if you are doing authentication?

    If so then its possible that you have a simple misconfiguration that can be resolved by configuration.

    Please have a look at these KB articles:

    https://community.sophos.com/kb/en-us/133531

    https://community.sophos.com/kb/en-us/127157

    Also, if you are having problems in HA, try disabling it to see if it works.  If so then you could have problems with an ARP entry timeout on your switch.

    Let us know how it goes.

    Thanks!

  • In reply to KingChris:

    hello Kingchris , 

    STAS is deployed

    SATC Not

     

    i've dissabled HA , but same problems

     

    Also when i not in Terminal services (work local on laptop) , there is also a outage connection

     

     

  • In reply to helmut willems:

    Hello  

    Thanks for the response.

    So without being on TS box and without HA you are still affected by the outage.

    When the outage occurs, have you tried to run a traceroute to see where the packets are going?

    It sounds like to me that you may have asymmetric routing happening or even a rogue DHCP server that gives out bad gateway address or a proxy PAC file pointing to another offline device.

    The issue sounds local to me.

    Let me know what you find and lets see what we can help you with.

    Thanks!