Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 43 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 10746 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Home Edition Sophos XG Basic WAN Routing Issues

Jason Jensen

I am seriously getting irritated with the Home Edition Sophos XG lately.

First, enabling WWAN broke the install. As soon as the server booted after enabling, no Ethernet devices would work. Not even a "factory reset" fixed it. I have to completely reinstall just to get networking back.

Now I am constantly having connection issues. Weather.com never works, google.com always works, just about every other website is hit or miss. I never get a Sophos page saying it was blocked. The DNS server on the device doesn't seem to function - so if I setup DHCP to configure 172.16.16.16 as DNS nothing resolves but internet somewhat works on 8.8.8.8 or 1.1.1.1 or the device's DNS.

What is really irritating is websites will work then won't. The router log shows "invalid traffic" without any "zones" being defined. And it masquerade settings or connection timeout isn't the issue since it will work then 5 minutes later it won't.

I have the most basic setup. Lan as default network 172.16.16.16/24 on port 1. Port 2 is another router at 192.168.5.1/24. Basic firewall routing that allows "All" apps and web.. I have also tried none and new ones I made. Bottom line, the connection is very unstable.

I use Sophos because I don't want any legal hassles from people I let use the network downloading off BitTorrent.. but other then that I don't really need such a system.

Been using Sophos XG for at least 3 years, I have configured just about everything there is, red, site2site ssl VPN, remote VPN, etc.. and here I'm not doing any of that.. it is an ultra basic setup and it still doesn't seem to work..

Any ideas?



This thread was automatically locked due to age.
Parents
  • +1

    Summary of Debug steps for such issues:

    I give you some advise to check first to get this debugged.

    Check the route_precedence of the appliance.

    console> system route_precedence show

    Routing Precedence:

    1. Static routes

    2. VPN routes

    3. SD-WAN policy routes

    Move to the same configuration with: console> system route_precedence set static vpn sdwan_policyroute

    Then check the reply and system-generated traffic:

    console> show routing sd-wan-policy-route reply-packet

    SD-WAN policy route is turned on for reply packets.

    console> show routing sd-wan-policy-route system-generate-traffic

    SD-WAN policy route is turned on for system-generated traffic.

    See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/RoutingSDWANPolicyRouting.html

    Then check, if you are using SD-WAN Routes or not. (Routing - SD-WAN Policy routing). Are there rules or not?

    If not, thats good. Then check the current WAN Link manager. If you have a Active-Active Setup, then move to Active-Passive by setting the second ISP to backup. This will force all traffic for the time to the active interface.

    If you experience an issue, switch both (Move from active to backup and vice versa).

    Still an issue?

    Disable the DPI engine under Rules and policies - SSL/TLS inspection rule - SSL/TLS inspection settings - Advanced settings - Disable.

    Still an issue?

    Check the advanced firewall (Virtual fastpath). Disable it and try again:

    console> system firewall-acceleration show

    console> system firewall-acceleration disable

    If the issue still is there: Move to tcpdump/conntrack.

    Advanced shell: conntrack -E | grep Source_IP <--- This will show you all loaded policies of your current connection.

    tcpdump -ni any host Source_IP <-- this will show you at least the packets coming from your client.

    tcpdump -ni any host Destination_IP <-- You should see all traffic (From client and on the WAN). You see the used interface.

    Do you see the connection build up with proper TCP handshake (Syn, Syn/ACK, ACK?) Are those packets forwarded?

    (You could do the same on the GUI (Diagnostics, packet capture).

    The logviewer in this case will not help, as it logs only the initial SYN Packets. The problem is, if the packets have a routing issue, you will not see, who is causing this issue. Invalid Traffic indicates, it is a routing issue and the client is closing the connection.

    Proxy could also cause this issue, if google still works fine, as you screenshots indicates. Google uses QUIC (UDP443) to communicate "faster". This is not handled by the proxy, as the proxy only uses TCP443. https://en.wikipedia.org/wiki/QUIC

    So if the proxy module is causing this issue, it should be "fine" if you disable all proxy related filter option within the rule. What could cause a proxy to interact like that? There are many problems like AV pattern corrupt, pattern could not be installed, proxy module gets a kernel panic etc. How to check? Should be logged in the /log/awarrenhttp.log or /log/u2d.log

    PS: Allow All basically means "Load the proxy". If your proxy is causing this --> It will always be there. Change to None to unload the proxy.

    PS2: a factory reset will reset the configuration etc. But it will not "reinstall the system". To reimage a system, you have to use a new installation image and reinstall it. This will also reinstall the modules etc.

    I cannot comment on the time you used in the past, that would be my first shots for this issue.

    __________________________________________________________________________________________________________________

Reply
  • +1

    Summary of Debug steps for such issues:

    I give you some advise to check first to get this debugged.

    Check the route_precedence of the appliance.

    console> system route_precedence show

    Routing Precedence:

    1. Static routes

    2. VPN routes

    3. SD-WAN policy routes

    Move to the same configuration with: console> system route_precedence set static vpn sdwan_policyroute

    Then check the reply and system-generated traffic:

    console> show routing sd-wan-policy-route reply-packet

    SD-WAN policy route is turned on for reply packets.

    console> show routing sd-wan-policy-route system-generate-traffic

    SD-WAN policy route is turned on for system-generated traffic.

    See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/RoutingSDWANPolicyRouting.html

    Then check, if you are using SD-WAN Routes or not. (Routing - SD-WAN Policy routing). Are there rules or not?

    If not, thats good. Then check the current WAN Link manager. If you have a Active-Active Setup, then move to Active-Passive by setting the second ISP to backup. This will force all traffic for the time to the active interface.

    If you experience an issue, switch both (Move from active to backup and vice versa).

    Still an issue?

    Disable the DPI engine under Rules and policies - SSL/TLS inspection rule - SSL/TLS inspection settings - Advanced settings - Disable.

    Still an issue?

    Check the advanced firewall (Virtual fastpath). Disable it and try again:

    console> system firewall-acceleration show

    console> system firewall-acceleration disable

    If the issue still is there: Move to tcpdump/conntrack.

    Advanced shell: conntrack -E | grep Source_IP <--- This will show you all loaded policies of your current connection.

    tcpdump -ni any host Source_IP <-- this will show you at least the packets coming from your client.

    tcpdump -ni any host Destination_IP <-- You should see all traffic (From client and on the WAN). You see the used interface.

    Do you see the connection build up with proper TCP handshake (Syn, Syn/ACK, ACK?) Are those packets forwarded?

    (You could do the same on the GUI (Diagnostics, packet capture).

    The logviewer in this case will not help, as it logs only the initial SYN Packets. The problem is, if the packets have a routing issue, you will not see, who is causing this issue. Invalid Traffic indicates, it is a routing issue and the client is closing the connection.

    Proxy could also cause this issue, if google still works fine, as you screenshots indicates. Google uses QUIC (UDP443) to communicate "faster". This is not handled by the proxy, as the proxy only uses TCP443. https://en.wikipedia.org/wiki/QUIC

    So if the proxy module is causing this issue, it should be "fine" if you disable all proxy related filter option within the rule. What could cause a proxy to interact like that? There are many problems like AV pattern corrupt, pattern could not be installed, proxy module gets a kernel panic etc. How to check? Should be logged in the /log/awarrenhttp.log or /log/u2d.log

    PS: Allow All basically means "Load the proxy". If your proxy is causing this --> It will always be there. Change to None to unload the proxy.

    PS2: a factory reset will reset the configuration etc. But it will not "reinstall the system". To reimage a system, you have to use a new installation image and reinstall it. This will also reinstall the modules etc.

    I cannot comment on the time you used in the past, that would be my first shots for this issue.

    __________________________________________________________________________________________________________________

Children
No Data
Unfiltered HTML