Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS inspection | bridge mode | multiple local subnets | SSL connections time out

Dear community,

i think we are suffering the same problem mark57165 described in his post 'IPS Service - with no FW rules - Prevents Certain Sites from Loading'.

https://community.sophos.com/sophos-xg-firewall/f/discussions/134535/ips-service---with-no-fw-rules---prevents-certain-sites-from-loading

Our Situation:

SOPHOS XG / XGS Firewall

in Bridge Mode

no firewall rule / no SSL/TLS inspection rule for the problem connections

multiple IPv4 Subnets on the LAN side

SSL/TLS connections from one local subnet to another local subnet time out

Unsatisfying workarounds:
- disable SSL/TLS inspection completely
- stop IPS Service
- add bypass-stateful-firewall-config rules for the local subnets


Is someone facing the same problem?

Did someone find a solution?



Regards, Nicolai



This thread was automatically locked due to age.
Parents
  • Hello Nicolai,

    Good day and thanks for reaching out to Sophos Community.

    To confirm, the error you're facing is when a local subnet tries to reach another local subnet it times out? 

    Also, could you check if there are traffic being blocked under Protect>Intrusion Prevention > DoS Attacks? 

    Further, could you please share your Firewall policy for the problematic traffic? 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello Raphael,
    thanks for your quick respond.

    I can confirm that your description is correct.
    We are facing the problem when a local subnet tries to reach another local subnet.

    I made a simplyfied diagram:

    https://i.imgur.com/V2MpmfO.png

    No traffic being blocked by Intrusion prevention:

    First Firewall rule is a "allow everthing"-rule:

    First SSL/TLS inspection rule after default 'Exculsions by website'-rule is also a "Allow anything" rule:

    In Log viewer, log-type = "Firewall", we find 'Could not associate packet to any connection' for the traffic from src=192.168.1.2 to dest=192.168.1.1

    Were these the informations you wanted?

    Regards, Nicolai

Reply
  • Hello Raphael,
    thanks for your quick respond.

    I can confirm that your description is correct.
    We are facing the problem when a local subnet tries to reach another local subnet.

    I made a simplyfied diagram:

    https://i.imgur.com/V2MpmfO.png

    No traffic being blocked by Intrusion prevention:

    First Firewall rule is a "allow everthing"-rule:

    First SSL/TLS inspection rule after default 'Exculsions by website'-rule is also a "Allow anything" rule:

    In Log viewer, log-type = "Firewall", we find 'Could not associate packet to any connection' for the traffic from src=192.168.1.2 to dest=192.168.1.1

    Were these the informations you wanted?

    Regards, Nicolai

Children
No Data