Intermittent Internet Outage due to DNS error

Hi Madni Malik,

Thank you for reaching out to Sophos Community.

Do you see any drops on port 53 at the time of instance?

==> Run the below command in console to check drops.

console> drop-packet-capture 'port 53

==> Is UDP flood enabled under DoS?

thanks for reply. 

let me check this. i also turn off IPS on rule LAN to DMZ and observing it too. 

UDP Flood is disabled too. 

I'd suggest taking a packet capture as well at the time of instance.

How to capture packets and download the Packet Capture

here is the output of packet capture , fw rule id =2 is LAN to DMZ plain rule

2021-07-30 13:53:56 0110021 IP 192.168.10.122.55694 > 192.168.20.2.53 : proto UDP: packet len: 54 checksum : 63497
0x0000: 4500 004a 2255 0000 7e11 7a81 c0a8 0a7a E..J"U..~.z....z
0x0010: c0a8 1402 d98e 0035 0036 f809 9bc6 0100 .......5.6......
0x0020: 0001 0000 0000 0000 0576 6964 656f 0866 .........video.f
0x0030: 6c68 6531 302d 3103 666e 6105 6662 6364 lhe10-1.fna.fbcd
0x0040: 6e03 6e65 7400 0001 0001 n.net.....
Date=2021-07-30 Time=13:53:56 log_id=0110021 log_type=Firewall log_component=Identity log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Port3 inzone_id=1 outzone_id=3 source_mac=4c:00:82:4a:e8:41 dest_mac=00:1a:8c:51:9c:3e bridge_name= l3_protocol=IPv4 source_ip=192.168.10.122 dest_ip=192.168.20.2 l4_protocol=UDP source_port=55694 dest_port=53 fw_rule_id=2 policytype=1 live_userid=0 userid=65535 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=3240813824 masterid=0 status=256 state=0, flag0=2748781166600 flags1=0 pbdid_dir0=0 pbrid_dir1=0

2021-07-30 13:57:33 0110021 IP 192.168.10.218.50856 > 192.168.20.2.53 : proto UDP: packet len: 40 checksum : 64779
0x0000: 4500 003c 4e54 0000 7e11 4e30 c0a8 0ada E..<NT..~.N0....
0x0010: c0a8 1402 c6a8 0035 0028 fd0b aa63 0100 .......5.(...c..
0x0020: 0001 0000 0000 0000 0465 6467 6505 736b .........edge.sk
0x0030: 7970 6503 636f 6d00 0001 0001 ype.com.....
Date=2021-07-30 Time=13:57:33 log_id=0110021 log_type=Firewall log_component=Identity log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Port3 inzone_id=1 outzone_id=3 source_mac=4c:00:82:4a:e8:41 dest_mac=00:1a:8c:51:9c:3e bridge_name= l3_protocol=IPv4 source_ip=192.168.10.218 dest_ip=192.168.20.2 l4_protocol=UDP source_port=50856 dest_port=53 fw_rule_id=2 policytype=1 live_userid=0 userid=65535 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=265032960 masterid=0 status=256 state=0, flag0=2748781166600 flags1=0 pbdid_dir0=0 pbrid_dir1=0

Can you please post a snapshot of rule ID 2?

HI Madni ,

If you closely look into the Drop packet logs :

Date=2021-07-30 Time=13:57:33 log_id=0110021 log_type=Firewall log_component=Identity log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Port3 inzone_id=1 outzone_id=3 source_mac=4c:00:82:4a:e8:41 dest_mac=00:1a:8c:51:9c:3e bridge_name= l3_protocol=IPv4 source_ip=192.168.10.218 dest_ip=192.168.20.2 l4_protocol=UDP source_port=50856 dest_port=53 fw_rule_id=2 policytype=1 live_userid=0 userid=65535 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=265032960 masterid=0 status=256 state=0, flag0=2748781166600 flags1=0 pbdid_dir0=0 pbrid_dir1=0

The above one is getting hit to the Rule Id No.2  and the component it has is Identity So, that points out the Authentication related concerns here.

Seems like there is something wrong with authentication here in the rule . Could you please share the snap of the Full rule and also see username of IP 192.168.10.218.

This kind of concerns may happen, if you have applied the user auth in the rule or user is coming with NTLM/ Kerberos Key but the firewall already have it expired or invalid.

Upvote if you like the answer.

hi Exion,

thank you for your reply.

actually few days ago i was doing SSO , configured STAS at firewall. but i start facing that user get auhtenticated but after someitmes browsing stopped on that user. so i disabled that user rule and create a plain rule and add user network in that rule.i thnk after that i started getting error.

after disabling stas and AD authentication from Firewall it is behaving noramally now.

please advise what should i do further?

Hello Madni,

For the STAS , That seems to be something with the User Timeout . Check it out under the authentication tab.

Also as I mentioned , Please share the full Snap of the rule so I can give the right suggestion .