Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 4288 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues accessing a site though Sophos XG

Austin Ehrhardt

Sophos XG125

Firmware: 17.5.0

I can not confirm 100% that the site was working before I ran the upgrade to 17.5

 

One of my users is trying to access https://normandyins.com .(This is the only site I am aware of that is having this issue) I am able to access this site from my home, cell phone, DR site, and our hosting provider. No one else has reported any issues with the site. When trying to access though our netowork (Tested on multiple machines):

Firefox:

Chrome:

IE:

 

None of the browsers pick up a cert.

Running an NSLookup shows that both the Sophos network and other networks pick up the correct DNS record. Running the test directly on the XG has the same results.

You can ping the IP of the site from both the PC's and the firewall.

We have an old router that we are phasing out (With a different ISP) and if I switch the IP's to that network on the same PC's, the site loads.

Checking the site on ssllabs.com, The site allows tls 1.1 & 1.2 and it does not see any issues.

I do not have any configured web filter on the sophos or other web filtering device on the network. I have disabled all of the filtering rules and checked all the firewall rules to see if anything is attached to web filtering and there is nothing.

 


I am burning my tires on this one a bit and looking for some advice if anyone has some for me.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Austin,

    That does seem quite odd that if you have nothing enabled it doesn't work. I was thinking this may be related to IPS but looking at the site and my own XG it does not seem to raise any hits.

    Can you do a wireshark while trying to connect to the website and see if it the XG interfering or the remote site terminating the connection?

    Does the website work if you hotspot the device so it is not using the XG as its default gateway?

    Emile

Reply
  • 0

    Hi Austin,

    That does seem quite odd that if you have nothing enabled it doesn't work. I was thinking this may be related to IPS but looking at the site and my own XG it does not seem to raise any hits.

    Can you do a wireshark while trying to connect to the website and see if it the XG interfering or the remote site terminating the connection?

    Does the website work if you hotspot the device so it is not using the XG as its default gateway?

    Emile

Children
  • 0 in reply to Emile Belcourt

    Yes, If I hotspot from my phone or if I run the connection through our other ISP / router onsite it works fine on the same computers that have the problem on the Sophos network. 

     

    If I run a tracert with the 107 address the site gives via DNS this is what wireshark gives me

  • 0 in reply to Austin Ehrhardt

    Forgot to mention that I also added a temp allow Any / Any on the firewall rules with no IPS / Filtering / or anything. No changes.

     I also added a allow rule for just the site IP with no changes.

  • 0 in reply to Austin Ehrhardt

    Hi Austin,

    This will be a destructive suggestion.

    Lets try and remove the XG as the cause of the problem (or identify it). Grab your laptop that you know works on another internet connection for that site and plug it into the wan cable so your laptop is directly connected to the internet bypassing any security, any switches, basically everything.

    If it still breaks then it's your ISP and if it works it's definitely the XG and we can look more closely at the XG.

    The reason I'm suggesting this is i have had, on two occasions, an ISP that was messing up dns in one case or routing on the other. Like in their case, things like ping worked fine but everything else failed.

    Is that possible?

    If not we can find alternatives.

    Emile

  • 0 in reply to Emile Belcourt

    Yes I can do that but it'll be Monday before I can bring my office down for a bit while I test (Lots of off hours remote users).

    I will plan on testing Monday night and post back here with the results.

  • 0 in reply to Austin Ehrhardt

    I know that last post on this thread is almost a year old, but I just wanted to add my recent experience.
    Might help someone with similar issue.

    A client had a site that they could not access. It was a bill pay site from their electric company.
    Attempting to access it would produce a timeout or site couldn't be reached error in the browser. Tried different browsers, different machines on the network.
    After killing all the Sophos Web & IPS services on the FW (XG 115 - (SFOS 17.5.8 MR-8) ), site still couldn't be reached.
    FW diagnostics (Log Viewer, Policy Tester, etc) showed that traffic was flowing out of the FW.

    I connected my laptop directly to the cable modem (eliminating the FW).
    Before I go further let me state that the ISP is Cox. Modem is an Arris SB6183.
    Cox has two ways to have the modem connect...DHCP or Static.
    When I configured my laptop to connect to the modem via DHCP, I could access the site.
    When I configured my laptop to connect to the modem via WAN Static IP/GW/SM/DNS (same configuration as exist in the FW), I could not access the site.

    Contacted Cox, and explained my experience and with them did additional troubleshooting. Still had problem. They decided to issue a new Static IP....problem resolved.
    I connected the Sophos FW, rebooted the modem, and I could access the site with all Web, IPS services in place.

    Hope this helps others having similar issues accessing sites.

    LThib

Unfiltered HTML