WAN Port Frequently gets Down and automatically up after 2 minutes

Hi S Naeem : Thank you for reaching out to Sophos community team. Alert is appearing over email as it seems gateway status email alert is set to on.

Reference snapshot from local LAB device.



Regarding WAN Port up down, you may check the port error, duplex settings etc. You may try by changing the cable if that may help to fix the issue. You may also verify syslog.log during port flapping event time to see what are the log lines getting generated. 

Error over Interface you may verify via below command over Port2. 

console> sh network interfaces 

Thanks for your guidance but log viewer show the given below event only :

Hi S Naeem : Below KBA and last comment suggestions &  command will give more information to identify the issue from log files.

Sophos XG Firewall: Where to find log files?

support.sophos.com/.../KB-000035758

Sophos XG Firewall: Logfile guide:

https://support.sophos.com/support/s/article/KB-000038142?language=en_US

I think you may be confusing two things here. Do you lose internet connectivity when you get the alerts, your post doesn't make this clear? Or is it just that you keep getting the alerts?

If you are losing internet connectivity, ignore this post and follow the advice you have been given so far! If it is just the alerts that are a problem, you need to look at your "Wan Link Manager" settings. It doesn't matter if you aren't using failover, there can still be failover rules that test if the gateway is available and it is these rules that generate the alerts.

It is typical for the failover rule to be a ping to the next IP hop. In the example above the next hop is a private IP because the XG is behind another internal router. More typically, the IP will be the gateway address of your internet provider. The problem with this is that if for any reason the next hop doesn't respond to the ping, you will get an alert. It may not respond to a ping because it is down but sometimes gateways don't respond for other reasons. In this case, you may not lose internet connectivity but you will get an alert. This might be what is happening to you.

If you are using a single ping like above, it should always be set to the next hop (gateway address of the internet provider). Don't set it to something like 8.8.8.8 (google DNS) because the ping could fail on any of the hops to that IP but it doesn't mean your gateway is down.

There is another way to avoid false positives by using more than one ping test. We do have two internet connections and use failover but you can do the same even if you only have one WAN connection.

If you look at our Failover rules, you can see we test on two pings and BOTH have to stop responding before you get an alert (and in our case, the failover takes place). This prevents us getting false alerts (and failover) if one of sites we are pinging stops responding for any reason.

I am having this issue too at one of our sites on a XG125 running v18.05 (MR5). I changed the failover rules like you suggested above a couple of weeks ago and the device still goes down 8-10 times a day for 15-20 seconds at a time. No help from Sophos and there doesn't appear to be anything in the logs either. I wonder how widespread an issue this is?