Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS inspection | bridge mode | multiple local subnets | SSL connections time out

Dear community,

i think we are suffering the same problem mark57165 described in his post 'IPS Service - with no FW rules - Prevents Certain Sites from Loading'.

https://community.sophos.com/sophos-xg-firewall/f/discussions/134535/ips-service---with-no-fw-rules---prevents-certain-sites-from-loading

Our Situation:

SOPHOS XG / XGS Firewall

in Bridge Mode

no firewall rule / no SSL/TLS inspection rule for the problem connections

multiple IPv4 Subnets on the LAN side

SSL/TLS connections from one local subnet to another local subnet time out

Unsatisfying workarounds:
- disable SSL/TLS inspection completely
- stop IPS Service
- add bypass-stateful-firewall-config rules for the local subnets


Is someone facing the same problem?

Did someone find a solution?



Regards, Nicolai



This thread was automatically locked due to age.
Parents
  • Hello Nicolai,

    Good day and thanks for reaching out to Sophos Community.

    To confirm, the error you're facing is when a local subnet tries to reach another local subnet it times out? 

    Also, could you check if there are traffic being blocked under Protect>Intrusion Prevention > DoS Attacks? 

    Further, could you please share your Firewall policy for the problematic traffic? 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello Raphael,

    thanks for your quick respond.

    I can confirm that your description is correct.
    We are facing the problem when a local subnet tries to reach another local subnet.

    I have created a long answer with diagram and pictures. But the community system blocked my message because of a suspected abuse.

    I have lodged an objection and I am now waiting for the message to be released. If you as a Community Support Engineer can speed up this, please do so.

    Regards, Nicolai

  • Hello Nicolai,

    Thanks for these details. 

    Is network 192.168.1.x and 2.x seperated by VLAN? is the router or Sophos Firewall handles the routing? Also,who is the default gateway of both the end machines? 

    Further, wanted to confirm if this configuration worked before? If yes, are there any change on the Firewall/network setup prior the issue? 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hello Nicolai,

    Thanks for these details. 

    Is network 192.168.1.x and 2.x seperated by VLAN? is the router or Sophos Firewall handles the routing? Also,who is the default gateway of both the end machines? 

    Further, wanted to confirm if this configuration worked before? If yes, are there any change on the Firewall/network setup prior the issue? 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children
  • Hi Raphael,

    yes, in a nice configured scenario 192.168.1.x and 2.x would be seperated by VLAN. In our tests we tested both with no difference. The problem occors if 192.168.1.x and 2.x are one the same (V)LAN and it also occors if they are separted on different VLANs.

    The router handles the routing.

    The default gateway is for both the router:

    For 192.168.1.x it is 192.168.1.254
    For 192.168.2.x it is 192.168.2.254

    I added this to the diagram:

    No, the configuration never worked without workarounds.

    The workarround, that was in use, was to add bypass-stateful-firewall-config rules for the local subnets.

    Regards, Nicolai