TCP Disconnect with IPS-Pattern updates ??

Hello,

Thank you contacting the Sophos Community!

As per the description, I believe it may not be the IPS which could be causing an issue. As if the IPS would be dropping the traffic in that case it will continue to drop if any matching signature triggered.

We suggest collecting below logs from the advance shell and saving them on putty.

1. tcpdump -nei any host destIP

2. Conntrack -E

3. Packet capture using KBA: https://support.sophos.com/support/s/article/KB-000037007?language=en_US

4. Collect the drop packet using KBA: https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/index.html#drop-packet-capture

With this information, I would suggest raising the support case to take it further.

Hi,

which model xg?

ian

Since this happens once a week (so far), it is not easy to capture the correct traffic.
The only thing we see... the moment of disconnection (multiple devices losing connection to servers and devices at the same time) matches the time of an IPS pattern update (Timestamp of Last successful update of IPS and Application signatures)

From SG we know the "Restart policy - Bypass IPS scan".
Maybe there is something similar at XGS?
But I have a lot of customers using this software and IPS for external connections and never I saw such problems before 20.0.MR1

Hi,

XGS2100

greetings
Dirk

Hello,

It is advisable to raise the support ticket and share it with us to priotarize. We shall help you with the commands which you may run to collect the logs.

Thank you. I thought it might have been a device performance issue because my xg115w has trouble processing updates.

Ian

Unfortunately, we have confirmation.
With the IPS pattern update yesterday, the connections were disconnected again.

Because support handling is not simple ... (isolated "critical infrastructure")
What could the support engineer do?
The relation to the IPS is clear. What else could be in a log file?

When this happen, do you know, how much Memory is available for the appliance? 

Additionally, is the connection a long run connection? 

Any hint this changed in the latest version? Because there were not changes in the IPS.

BTW: The "UTM" approach is currently not possible, as IPS / Snort is much more included within the engine compared to UTM, which simply could bypass it. 

You could, for this customer, workaround this by changing the time, when IPS doing a pattern update. 

Hi,

I can't say anything about the memory without checking it more closely, but an XGS2100 with just network protection+IPS+webfilter shouldn't reach its limits

all these connections are active some days

We have SFOS 20.0.1 MR1 here. Other customers with a similar environment and 20.0.0 don't have the problem

We have just migrated from SG to XGS. Therefore, there is no "before"

How can I adjust the IPS pattern update time?

Essentially the time when you say "Start Cycle" will be responsible. 

So if you do Daily and press Apply, it will be every 24h on that time.