Wifi internet connection delay

Hi,

We have 3 Sophos Wi-Fi networks, one hotspot for guest, one for employee and one for company devices.
When we connect with a device that never connected before to the wireless networks we have no internet but only network connection.
With the hotspot we don’t see de portal but about 30sec later we can access the portal.
We can immediately ping the gateway but no external ip address.
After about 30 seconds later we have internet and can ping any external ip addresses. The strange thing is when we connect a 2nd time there is no problem at all.
Even after some weeks we can still connect immediately to the wifi networks without any problem.
The problem accurses with the Hotspot, WPA2 and (Bridge to Lan networks).
When we connect to the Wi-Fi networks we receive the correct network configuration from the DHCP Sophos or the internal windows DHCP service.

At the first sight the gateway of the SF does not immediately works after connecting to the Wi-fi network for devices that has never connected before.
When the connection works after about 30 seconds and we connect a 2nd time the gateway is working immediately even after removing the network settings from the computer. The CPU load is always below 10%.

I am not sure when the problem showed up but we have it on multiple Sophos devices with the same firmware (SFOS 15.01.0 MR-3) .

What can be the cause of this problem?

Does any one else has a similar problem?

  • Hi,

    The lag can be caused due to network congestion. Is the frequency band similar on all the networks?

    If everything else is working up to the mark I doubt we can get a conclusion on this issue asap. I would rather recommend you to get your reseller/partner to help you out on this matter locally.

    Thanks

  • Hi,

    I am also experiencing a similar thing:

    XG firewalls on the edge of our network.

    New devices get addressing from Cisco switches but experiece a 2 minute delay before their internet traffic is passed through the firewall.

    This has been proven by Sophos tcpdumps and ISP wireshark captures.

    Ongoing support request. Sent them the wireshark yesterday, they want to investigate mss values.....

     

    It only affects new devices or devices which haven't connected in a couple days or so

  • In reply to James Jackson:

    Hi,

    is this on both 2.4ghz and 5ghz SSIDs or just 5ghz SSIDs?

    Ian

  • In reply to James Jackson:

    Hi,

     

    We have exactly the same error, the network are implemented by AP's joined to Cisco wireless controllers, and the network configuration seems to be ok, DHCP ok, on the edge is the sophos firewall. 

     

    Any idea to solve?

     

    Thanks.

  • In reply to SuscripcionesEM:

    Do you have STAS activated on the XG?

  • In reply to James Jackson:

    Hi James,

     

    Yes, it's related with that?

  • In reply to SuscripcionesEM:

    Seems to be for me, even though 'match known users' is not selected for that policy....

    We were experiencing a 120 second delay - same as the STAS timeout value. Now we've changed STAS timeout vlaue to 45 seconds we now experience a 45 second delay.

     

    I have a call with Sophos in 5 minutes to discuss the issue with them and make them accept STAS does not work as designed.

  • In reply to James Jackson:

    Thanks,

     

    seems a identical case, one question... when you modify the timeout value, you refers to logoff detection settings on the collector? or is a configuration in other site?

     

    Regards.

  • In reply to SuscripcionesEM:

    You have to console to the XG and type:

     

    system auth cta unauth-traffic drop-period 60

     

    to set a 60 second timeout.

    It's recommended to be at least 40 seconds. I advise to change this value and see if the delay also changes

  • In reply to James Jackson:

    Hi James,

     

    Thanks for your last answer, you have any official response/conclusion by sophos team?

     

    Regards.

  • In reply to James Jackson:

    Didn't that is how STAS designed? The xg blocked the traffic untill STAS authicated the device either by event log or wmi query.

  • In reply to SuscripcionesEM:

    Yep, they took lots of details and added my case to the notes for bug formerly known as NC-26440.

     

    What happens next is unsure, but I will be hassling my account manager about it.

  • In reply to daiqingxu:

    daiqingxu

    Didn't that is how STAS designed? The xg blocked the traffic untill STAS authicated the device either by event log or wmi query.

     

     

    Yes, but it shouldn't happen when "match known user" isn't ticked for that policy.