TCP Disconnect with IPS-Pattern updates ??

Hello,

Thank you contacting the Sophos Community!

As per the description, I believe it may not be the IPS which could be causing an issue. As if the IPS would be dropping the traffic in that case it will continue to drop if any matching signature triggered.

We suggest collecting below logs from the advance shell and saving them on putty.

1. tcpdump -nei any host destIP

2. Conntrack -E

3. Packet capture using KBA: https://support.sophos.com/support/s/article/KB-000037007?language=en_US

4. Collect the drop packet using KBA: https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/index.html#drop-packet-capture

With this information, I would suggest raising the support case to take it further.

Since this happens once a week (so far), it is not easy to capture the correct traffic.
The only thing we see... the moment of disconnection (multiple devices losing connection to servers and devices at the same time) matches the time of an IPS pattern update (Timestamp of Last successful update of IPS and Application signatures)

From SG we know the "Restart policy - Bypass IPS scan".
Maybe there is something similar at XGS?
But I have a lot of customers using this software and IPS for external connections and never I saw such problems before 20.0.MR1

Since this happens once a week (so far), it is not easy to capture the correct traffic.
The only thing we see... the moment of disconnection (multiple devices losing connection to servers and devices at the same time) matches the time of an IPS pattern update (Timestamp of Last successful update of IPS and Application signatures)

From SG we know the "Restart policy - Bypass IPS scan".
Maybe there is something similar at XGS?
But I have a lot of customers using this software and IPS for external connections and never I saw such problems before 20.0.MR1

Hello,

It is advisable to raise the support ticket and share it with us to priotarize. We shall help you with the commands which you may run to collect the logs.

Unfortunately, we have confirmation.
With the IPS pattern update yesterday, the connections were disconnected again.

Because support handling is not simple ... (isolated "critical infrastructure")
What could the support engineer do?
The relation to the IPS is clear. What else could be in a log file?