XG CA and latest macOS break web sites

I have performed a lot of testing this morning.

1/. cleared history

2/. cleared cache

3/. used firewall rules with no policies, IP4 and IPv6

4/. crested an exception

5/. log viewer does not show any errors, but does show successful connections. (Application, web and SSL/TLS)

6/. works fine while using hotspot or access on iPhone.

Where to next?

Ian

I have identified the cause, the Unifi AP is the common item. When treating via a hardwire connection everything works correctly.

So moree investigation required at my end.

Ian

It was working via the cable, but not now.

Please explain the following.

The last entry is with the web exception in place. The appears to be an intermittent bug in handling some websites. Sometimes it works and other times fail with an odd error message.

'You are not authorized to view this page.

Firewall Rule:NotAllowed'

Hello rfcat_vk ,

Good day and thanks for reaching out to Sophos Community.

I tried the mentioned website on the policy test and I did not experience the intermittent result by far - Im using Windows w/o DPI 

May we ask if the last entry happens to websites in random or just this specific one on the example? And does this happen only on you MacOS devices? 

Thanks

Hi Raphael,

currently I have access via the mac mini safari and my iPad. The MBP fails so does muy iPhone. The W11 machine is having network issues.

My main access is via the web proxy both IP4 and IPv6.

I have two websites that are having issues coles.com.au and ht.com.au. All the sites I have tested I can access, this forum keeps dropping connections and needs to be reauthenticated many times a day. I can't test two other devices at the moment they are in use.

Ian

update - the mac air fails.

All devices now failing.

I performed a configuration roll back to the day before the ISP/RSP made some network changes also to the configuration before I changed the IPv6 configuration and addresses thinking I made a mistake in the conversion.

I have again created a web exception for coles.com.au which currently appears to have fixed the issue. There was a lot of disable/reenable configurations to get this far.

The issue appears to be how xg handles IPv6 which in this case is very slowly causing the browsers to think the attempted connection has timed out and throw up errors.

More testing because I am not satisfied with the solution and need to update the internal IPv6 addressing.

Ian

Fixed. The rollback configuration and the recreate the IPv6 new address ranges appears to have fixed the issue along with another issue.

The import of the new IPv6 configuration took over an hour to complete. The performance of the XG is improved and appears to be stable.

Ian