Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 1665 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS19.0.1MR1-365 Exchange Online Connection issues

Alexander Neugebauer

Good day,
I have a very strange phenomenon in a customer installation.
Exchange Online takes a long time to start and hangs again and again when accessing shared mailboxes.
I have the same setup with other customers and there I have no such problems.
You can see in the Outlook connection status at "Authn" that it runs on error and after about 3 minutes it works. In the log everything is on green. All the exceptions for O365 are set. Also disabling all security features (web filter, AV scan, TLS/SSL) on a single computer do not bring any improvement. Only the change of the Internet connection without the Sophos XGS. e.g. Sophos UTM, cell phone hotspot or HomeOffice Internet access bring a success.
Microsoft Teams, for example, does not affect it.
I am running out of ideas what else I could try.
Maybe someone has another idea.
Thank you and many greetings
Alex

at start: 

after 3 Minutes:



This thread was automatically locked due to age.
Parents
  • +1

    Hi Alexander Neugebauer

    Please check with packet flow and share tcpdump and drop the packet if any as per the below command from SSH with option 4 : 

    console>tcpdump  'host outlook.office365.com 

    console>tcpdump  'host login.microsoftonline.com

    console>dr  'host outlook.office365.com 

    console>dr 'host login.microsoftonline.com

    From GUI check packet flow Under MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on configure Enter BPF string host outlook.office.com

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi Bharat J,

    thank you so much for your time and analysis today. here is the info you asked for. 

    LOGs: 

    2022-10-06 15:42:13 0103021 IP 172.30.10.1.137 > 172.30.10.255.137 : proto UDP: packet len: 58 checksum : 35926
    0x0000: 4500 004e 4742 0000 8011 8620 ac1e 0a01 E..NGB..........
    0x0010: ac1e 0aff 0089 0089 003a 8c56 9856 0110 .........:.V.V..
    0x0020: 0001 0000 0000 0000 2045 4745 4a45 4d45 .........EGEJEME
    0x0030: 4646 4445 4646 4346 4745 4646 4343 4143 FFDEFFCFGEFFCCAC
    0x0040: 4143 4143 4143 4143 4100 0020 0001 ACACACACA.....
    Date=2022-10-06 Time=15:42:13 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortF1.101 out_dev= inzone_id=8 outzone_id=4 source_mac=00:50:56:9d:29:87 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=172.30.10.1 dest_ip=172.30.10.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=N/A policytype=0 live_userid=26 userid=13 user_gp=11 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=2997380944 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    2022-10-06 15:42:13 0103021 IP 172.30.10.1.137 > 172.30.10.255.137 : proto UDP: packet len: 58 checksum : 35926
    0x0000: 4500 004e 4743 0000 8011 861f ac1e 0a01 E..NGC..........
    0x0010: ac1e 0aff 0089 0089 003a 8c56 9856 0110 .........:.V.V..
    0x0020: 0001 0000 0000 0000 2045 4745 4a45 4d45 .........EGEJEME
    0x0030: 4646 4445 4646 4346 4745 4646 4343 4143 FFDEFFCFGEFFCCAC
    0x0040: 4143 4143 4143 4143 4100 0020 0001 ACACACACA.....
    Date=2022-10-06 Time=15:42:13 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortF1.101 out_dev= inzone_id=8 outzone_id=4 source_mac=00:50:56:9d:29:87 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=172.30.10.1 dest_ip=172.30.10.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=N/A policytype=0 live_userid=26 userid=13 user_gp=11 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=2900704939 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    2022-10-06 15:42:14 0103021 IP 172.30.10.1.137 > 172.30.10.255.137 : proto UDP: packet len: 58 checksum : 35926
    0x0000: 4500 004e 4744 0000 8011 861e ac1e 0a01 E..NGD..........
    0x0010: ac1e 0aff 0089 0089 003a 8c56 9856 0110 .........:.V.V..
    0x0020: 0001 0000 0000 0000 2045 4745 4a45 4d45 .........EGEJEME
    0x0030: 4646 4445 4646 4346 4745 4646 4343 4143 FFDEFFCFGEFFCCAC
    0x0040: 4143 4143 4143 4143 4100 0020 0001 ACACACACA.....
    Date=2022-10-06 Time=15:42:14 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortF1.101 out_dev= inzone_id=8 outzone_id=4 source_mac=00:50:56:9d:29:87 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=172.30.10.1 dest_ip=172.30.10.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=N/A policytype=0 live_userid=26 userid=13 user_gp=11 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=3097735028 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    The Testrule: 

    When Outlook try to connect:

    And so wenn it connects after a while: 

    many greetings
    Alex

Reply
  • 0 in reply to Bharat J

    Hi Bharat J,

    thank you so much for your time and analysis today. here is the info you asked for. 

    LOGs: 

    2022-10-06 15:42:13 0103021 IP 172.30.10.1.137 > 172.30.10.255.137 : proto UDP: packet len: 58 checksum : 35926
    0x0000: 4500 004e 4742 0000 8011 8620 ac1e 0a01 E..NGB..........
    0x0010: ac1e 0aff 0089 0089 003a 8c56 9856 0110 .........:.V.V..
    0x0020: 0001 0000 0000 0000 2045 4745 4a45 4d45 .........EGEJEME
    0x0030: 4646 4445 4646 4346 4745 4646 4343 4143 FFDEFFCFGEFFCCAC
    0x0040: 4143 4143 4143 4143 4100 0020 0001 ACACACACA.....
    Date=2022-10-06 Time=15:42:13 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortF1.101 out_dev= inzone_id=8 outzone_id=4 source_mac=00:50:56:9d:29:87 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=172.30.10.1 dest_ip=172.30.10.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=N/A policytype=0 live_userid=26 userid=13 user_gp=11 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=2997380944 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    2022-10-06 15:42:13 0103021 IP 172.30.10.1.137 > 172.30.10.255.137 : proto UDP: packet len: 58 checksum : 35926
    0x0000: 4500 004e 4743 0000 8011 861f ac1e 0a01 E..NGC..........
    0x0010: ac1e 0aff 0089 0089 003a 8c56 9856 0110 .........:.V.V..
    0x0020: 0001 0000 0000 0000 2045 4745 4a45 4d45 .........EGEJEME
    0x0030: 4646 4445 4646 4346 4745 4646 4343 4143 FFDEFFCFGEFFCCAC
    0x0040: 4143 4143 4143 4143 4100 0020 0001 ACACACACA.....
    Date=2022-10-06 Time=15:42:13 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortF1.101 out_dev= inzone_id=8 outzone_id=4 source_mac=00:50:56:9d:29:87 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=172.30.10.1 dest_ip=172.30.10.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=N/A policytype=0 live_userid=26 userid=13 user_gp=11 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=2900704939 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    2022-10-06 15:42:14 0103021 IP 172.30.10.1.137 > 172.30.10.255.137 : proto UDP: packet len: 58 checksum : 35926
    0x0000: 4500 004e 4744 0000 8011 861e ac1e 0a01 E..NGD..........
    0x0010: ac1e 0aff 0089 0089 003a 8c56 9856 0110 .........:.V.V..
    0x0020: 0001 0000 0000 0000 2045 4745 4a45 4d45 .........EGEJEME
    0x0030: 4646 4445 4646 4346 4745 4646 4343 4143 FFDEFFCFGEFFCCAC
    0x0040: 4143 4143 4143 4143 4100 0020 0001 ACACACACA.....
    Date=2022-10-06 Time=15:42:14 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortF1.101 out_dev= inzone_id=8 outzone_id=4 source_mac=00:50:56:9d:29:87 dest_mac=ff:ff:ff:ff:ff:ff bridge_name= l3_protocol=IPv4 source_ip=172.30.10.1 dest_ip=172.30.10.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=N/A policytype=0 live_userid=26 userid=13 user_gp=11 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=3097735028 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    The Testrule: 

    When Outlook try to connect:

    And so wenn it connects after a while: 

    many greetings
    Alex

Children
  • 0 in reply to Alexander Neugebauer

    the problem is solved with the help of Bharat J, thank you again very much.

    The problem at that point was with the domain controller which is DNS service and still behind the Sophos UTM to be migrated and here the DNS requests go through two firewalls and routings and hence the delay occurs.

    Thus, I will turbo gear for the final of the migration.

Unfiltered HTML