Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some Websites are not loading or getting error when passing the traffic through one ISP

I'm new to Sophos XG Firewalls.

I'm facing a very peculiar issue with my Sophos XG firewalls. The firewalls are in HA (Active-Passive). My client has three ISPs. One ISP is terminated directly on Sophos and other two ISPs are PPPoE connection. Since the Sophos X doesn't support PPPoE connection in HA, for ISPs which are PPPoE (say ISP 2 and ISP 3 ) are terminated on a router and from there it is connected to Sophos XG.

The problem i'm facing is when the user internet traffic is passed through ISP 2 and ISP 3 some websites are not loading at all or sometimes loading not properly. This problem is not constant and it is occurring randomly.

 

I don't know what is causing this issue and the customer is really pissed about this.

 

If I pass the traffic through ISP 1 which is terminated directly on Sophos I'm not facing any issues at all.

 

To check if it is the issue from ISP side, I disconnected and connected the cable directly to my laptop and i checked and everything seems working fine. So the issue is related to XG and i have no idea where to look at.

I created a plain firewall From LAN to WAN without http or https scanning, without IPS,Webfilter and application filter and still the same issue through ISP 2 and ISP 3.

I even changed the firewall dns to public DNS and still the issue persists.

I checked in chrome, IE and mozilla and all same outcome.

 

Any help would really welcome and great.

 

Thank You.

Janish



This thread was automatically locked due to age.
  • Hi,

    what functionality do you have enabled in your routers?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    Thank You for your feedback.

     

    I didn't get you what do you mean by what functionality i have enabled in your router? Can you just elaborate?

    It is a normal Huawei Router provided by ISP. The modem is in default mode and not in bridge mode. Since it is PPPoE and XG is in HA i can't make it in bridge mode.

    the box is XG310 and version is V17-MR1.

     

  • Hi,

     

    Maybe Double NAT is causing issue? If so why it is occuring randomly and not permanently. Also to some websites like microsoft.com, Xbox.com, symantech.com, some bank sites etc.

     

    Is there anyway to remove double NAT and make it work?

     

    I dont know much about Double NAT and thats why im asking.

     

    Thank You. 

  • Hi,

    most of those routers you should be able to disable the fw function or at least disable the NAT. I am not sure how you are load balancing between the 3 ISPs but would suspect that packets are getting lost between the XG and the routers.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

     

    Even i suspect the same. There is some issue between these PPPoE modems and XG. Since the ISPs are directly terminated on Modem do we can disable the nat from XG?It would work or not?

    Because if i disable the NAT on the ISP modem i dont think the internet would work. Am i right?

    We are using these two ISP 2 and ISP 3 for normal user internet traffic. ISP 2 is primary gateway and ISP 3 is backup.

    ISP 1 is used for Site-to-Site VPN connection.

     

    Thank You.

  • Hi,

    in my case disabling the nat on the modem worked, different modems different settings. The XG will not pass traffic without a NAT as far as I know.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

     

    Thank you so much.

     

    I would test it by disabling the NAT on modem and I will update you.

     

    Is there any command we can see whether the problem is happening between XG and modem like drop-packet-capture or tcpdump?

     

    Thank You.

  • Hi,

     

    I disabled the NAT and the internet wasn't working after that.

    So i added it again.

     

    Can this issue be related to mtu and mss value? If so is there any recommendation how much we should reduce it (the value)?

     

    Also does anyone know if the new version V17 MR5 support PPPoE in HA(Active-Passive)?

     

    Thank You.