Home Edition Sophos XG Basic WAN Routing Issues

Question

I am seriously getting irritated with the Home Edition Sophos XG lately. 
 
 First, enabling WWAN broke the install. As soon as the server booted after enabling, no Ethernet devices would work. Not even a "factory reset" fixed it. I have to completely reinstall just to get networking back. 
 
 Now I am constantly having connection issues. Weather.com never works, google.com always works, just about every other website is hit or miss. I never get a Sophos page saying it was blocked. The DNS server on the device doesn't seem to function - so if I setup DHCP to configure 172.16.16.16 as DNS nothing resolves but internet somewhat works on 8.8.8.8 or 1.1.1.1 or the device's DNS. 
 
 What is really irritating is websites will work then won't. The router log shows "invalid traffic" without any "zones" being defined. And it masquerade settings or connection timeout isn't the issue since it will work then 5 minutes later it won't. 
 I have the most basic setup. Lan as default network 172.16.16.16/24 on port 1. Port 2 is another router at 192.168.5.1/24. Basic firewall routing that allows "All" apps and web.. I have also tried none and new ones I made. Bottom line, the connection is very unstable. 
 I use Sophos because I don't want any legal hassles from people I let use the network downloading off BitTorrent.. but other then that I don't really need such a system. 
 Been using Sophos XG for at least 3 years, I have configured just about everything there is, red, site2site ssl VPN, remote VPN, etc.. and here I'm not doing any of that.. it is an ultra basic setup and it still doesn't seem to work.. 
 
 Any ideas?

LuCar Toni · Accepted Answer

Summary of Debug steps for such issues: I give you some advise to check first to get this debugged. Check the route_precedence of the appliance. console> system route_precedence show Routing Precedence: Static routes VPN routes SD-WAN policy routes Move to the same configuration with: console> system route_precedence set static vpn sdwan_policyroute Then check the reply and system-generated traffic: console> show routing sd-wan-policy-route reply-packet SD-WAN policy route is turned on for reply packets. console> show routing sd-wan-policy-route system-generate-traffic SD-WAN policy route is turned on for system-generated traffic. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/RoutingSDWANPolicyRouting.html Then check, if you are using SD-WAN Routes or not. (Routing - SD-WAN Policy routing). Are there rules or not? If not, thats good. Then check the current WAN Link manager. If you have a Active-Active Setup, then move to Active-Passive by setting the second ISP to backup. This will force all traffic for the time to the active interface. If you experience an issue, switch both (Move from active to backup and vice versa). Still an issue? Disable the DPI engine under Rules and policies - SSL/TLS inspection rule - SSL/TLS inspection settings - Advanced settings - Disable. Still an issue? Check the advanced firewall (Virtual fastpath). Disable it and try again: console> system firewall-acceleration show console> system firewall-acceleration disable If the issue still is there: Move to tcpdump/conntrack. Advanced shell: conntrack -E | grep Source_IP <--- This will show you all loaded policies of your current connection. tcpdump -ni any host Source_IP <-- this will show you at least the packets coming from your client. tcpdump -ni any host Destination_IP <-- You should see all traffic (From client and on the WAN). You see the used interface. Do you see the connection build up with proper TCP handshake (Syn, Syn/ACK, ACK?) Are those packets forwarded? (You could do the same on the GUI (Diagnostics, packet capture). The logviewer in this case will not help, as it logs only the initial SYN Packets. The problem is, if the packets have a routing issue, you will not see, who is causing this issue. Invalid Traffic indicates, it is a routing issue and the client is closing the connection. Proxy could also cause this issue, if google still works fine, as you screenshots indicates. Google uses QUIC (UDP443) to communicate "faster". This is not handled by the proxy, as the proxy only uses TCP443. https://en.wikipedia.org/wiki/QUIC So if the proxy module is causing this issue, it should be "fine" if you disable all proxy related filter option within the rule. What could cause a proxy to interact like that? There are many problems like AV pattern corrupt, pattern could not be installed, proxy module gets a kernel panic etc. How to check? Should be logged in the /log/awarrenhttp.log or /log/u2d.log PS: Allow All basically means "Load the proxy". If your proxy is causing this --> It will always be there. Change to None to unload the proxy. PS2: a factory reset will reset the configuration etc. But it will not "reinstall the system". To reimage a system, you have to use a new installation image and reinstall it. This will also reinstall the modules etc. I cannot comment on the time you used in the past, that would be my first shots for this issue.

LuCar Toni · Answer

Ok lets tackle this from a different perspective: If you enable TLS decryption, XG will manipulate the packet. 
 If the client or the server are not accepting those packets, they will close the connection. By closing the connection, most clients/server will burst a "I do not want to talk to you" packet, called finish/reset (FIN/RST). XG will pick up this traffic and drop (the multiple packets) of this as invalid traffic. This is what you actually seeing on the appliance. 
 So: the TLS decryption or the DPI engine, which is manipulating the traffic, is causing your client to drop the connection. 
 First of all: Try to disable the TLS Decryption engine: 
 
 Check if this helps in any case. 
 If not, there could be a routing issue. 
 
 Do you have SD-WAN Policy Based Routes?

Home Edition Sophos XG Basic WAN Routing Issues

Top Replies