Hi,
We have recently changed network topology at a client such that workstations and servers are now on different VLAN's, and traffic between them crosses the Sophos (XG 17.5.9). Since then we've seen an issue with TCP connections getting dropped after a few hours of being idle in the TX direction (at layer 4). RX traffic is not idle (at layer 4).
Once connected, the client will occasionally send a string of numbers to the server (barcode scanner for timecards), and the server will send the current time to the client (vt320 terminal data) every 15 seconds. Overnight, or after a number of hours, the screen appears frozen, the time on the terminal screen has not updated in several hours, and the server and Sophos no longer have a record of the connection. Scanning a barcode on the client terminal does nothing for a few seconds, then the client SSH session notices the connection is no longer active and closes.
It is unlikely that the server is initiating the disconnection as the Sophos is the only thing that has changed. I suspect that the Sophos kills the connection in conntrack and then when the server sends its time update, the packets no longer get through.
I have reduced the rule down to having no App, Web, or IPS rules for SSH. I can't see anything in the Sophos log, although I had turned off invalid packet logging and it hasn't been on again long enough to record anything.
I can see that conntrack connection goes down to around 10785 before going back up to 10800, so conntrack isn't timing out.
I haven't yet been able to capture a packet trace to catch it in the act
Any suggestions?
Thanks
James
This thread was automatically locked due to age.
