The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
We'd love to hear about it! Click here to go to the product suggestion community
I have recently installed a Sophos RED 15 at one of our branch offices. For the most part, everything appears to be working as expected. Below is my configuration:
Standard/Unified, RED IP 192.168.0.1 (same range/subnet as branch office LAN)
I create a zone called RED_BranchOffice and assigned pretty much everything to it. Then I create both an inbound and outbound firewall rule as follows:
Source Zone = RED_BranchOffice | Source Network = BranchOffice LAN
Destination Zones = LAN, WAN | Destination Network = Any
Everything else is default.
Here is the problem:
For most of the day the connection is fine, all staff at the branch office logon to a terminal server here at HQ and their IP phones connect to the internet through the RED. However 2/3 times a day everything is cut off, the RDP sessions end and the phones go down for about 5 seconds.
I have looked in all of the standard logs available through log viewer and there is nothing going on at these times. I called 1st line support who looked around in the console logs and we could clearly see that this RED was dropping 10x more packets than the other RED. However she couldn't see anything wrong and just left it.
Before installing the RED, this branch office has been connected for a month through a standard IPsec from their Draytek Vigor 2930 router. Why is this only happening with the RED?
Which commands do I need to enter on the console to look at the logs myself?
Thanks in advance!
make sure tunnel compression is disabled. I would suggest you to open a ticket with Support.
In reply to lferrara:
Support we're unable to help me. The problem is they checked the RED connection logs which show the tunnel isn't dropping its fine.
So I have been trying to figure out what else could be causing this.
I think I have had a spot of luck today. I was connected through TeamViewer to a colleague's PC at the branch office (through RED). Whilst I was connected it happened and my colleague's RDP session (on his end) disconnected. However, I remained connected to his PC and my connection to him was fine.
So this indicates that only certain traffic is dropping, e.g. RDP?
I also noticed this:
Each time the connection is dropping, there is a spike in the data trasmitted from XG to RED.
How can I go about investigating this further to see what is causing these spikes?