new Sophos XGS - Webclients are unable to reach URLs but DNS works

Hi GernotMeyer,

I would suggest that you do a policy checker on the webclient users. Indicates its URL, source IP, and authenticated user (if there is any), then click test. This will show you the firewall policy that it should be using, and you can further troubleshoot if the firewall policy has any webfilters in place.

Also, here is a kb-article regarding the log viewer incase you would like to check more about it: Log viewer - Sophos Firewall

Hi and thanks for answer.

Policy checker results: all OK.

All clients are in same network (LAN) and same subnet.

It is only some URLs (let's say 20% that are not working from most clients). Log viewer also says "OK"/accepted.

Regards

Gernot

Please post your firewall rule. Are you using SSL/TLS inspection? If do you will need to ad the URLs to the exception list.

Ian

Very easy: LAN2WAN all allowed, NO inspections.

Any please remark again. Some clients work without problem.

Hi GernotMeyer  Thank you for reaching out to the Sophos community team, If this issue is getting observed with Google Chrome and Microsoft Edge and both of these browsers are running post version 124 on end machines then I would suggest giving it a try by checking the below steps if that helps you to fix this issue:

Configure your Google Chrome or Microsoft Edge browsers:

1. Open your browser.
2. Enter chrome://flags in the address bar and press Enter.
3. Search for TLS 1.3 hybridized Kyber support and change it from Default to Disabled.
4. Restart your browser.

You are my hero! Works. I figured out that firefox works but not edge/Chrome.

But why is that only anissue with Sophos but not LANcom? Any idea?

Hi GernotMeyer  Please find the answer below:

Google Chrome and Microsoft Edge have enabled and introduced the PQ Kyber key exchange algorithm (hybridized Kyber support) from version 124 onwards which increases the Client Hello packet size to be more than the MTU in SSL TLS handshake and a device further in the chain does not support IP fragmentation, leading to the flow to fail.

If you would like to check around this in detail, you may capture the PCAP on the end machine and generate browsing of the website for which the issue is getting triggered from Chrome or Edge and in the client hello check the below details:

So here solution is to disable Kyber support on the browser which you may try as per the previous steps or another way is to reduce the MTU on the WAN interface of the XGS which would negate the need for fragmentation. A good starting point is to set it to 1420 and so on until it fixes! 

With a Sophos Firewall in place without a workaround, this will be fixed once the path MTU discovery support is implemented in the future SF OS release as in feature enhancement and as of now above workaround will help to manage the situation.

For more info below KBA will help, KBA is pointing to Sophos Central Endpoint-protected macOS but in general, it applies to Windows OS and Firewall too. There is a section in the same KBA for "Sophos Firewall".

Unable to browse the internet using Google Chrome or Microsoft Edge after version 124 update
support.sophos.com/.../KBA-000009276

Hi GernotMeyer  Please find the answer below:

Google Chrome and Microsoft Edge have enabled and introduced the PQ Kyber key exchange algorithm (hybridized Kyber support) from version 124 onwards which increases the Client Hello packet size to be more than the MTU in SSL TLS handshake and a device further in the chain does not support IP fragmentation, leading to the flow to fail.

If you would like to check around this in detail, you may capture the PCAP on the end machine and generate browsing of the website for which the issue is getting triggered from Chrome or Edge and in the client hello check the below details:

So here solution is to disable Kyber support on the browser which you may try as per the previous steps or another way is to reduce the MTU on the WAN interface of the XGS which would negate the need for fragmentation. A good starting point is to set it to 1420 and so on until it fixes! 

With a Sophos Firewall in place without a workaround, this will be fixed once the path MTU discovery support is implemented in the future SF OS release as in feature enhancement and as of now above workaround will help to manage the situation.

For more info below KBA will help, KBA is pointing to Sophos Central Endpoint-protected macOS but in general, it applies to Windows OS and Firewall too. There is a section in the same KBA for "Sophos Firewall".

Unable to browse the internet using Google Chrome or Microsoft Edge after version 124 update
support.sophos.com/.../KBA-000009276

Your KBA link is not working: (Wasn't working at time of post, it is now)

https://support.sophos.com/support/s/article/KBA-000009276?language=en_US

Other vendors have released fixes already:
Websites randomly gets blocked or allowed with no changes made - Kyber on Chromium browsers v124 | SonicWall
Web pages not loading or taking too long ... - Fortinet Community

When is this future SF OS release happening with the fix? Fortinet and SonicWall have already released firmware updates with the fix.

"With a Sophos Firewall in place without a workaround, this will be fixed once the path MTU discovery support is implemented in the future SF OS release as in feature enhancement and as of now above workaround will help to manage the situation."

Hi John Splawn   "Adding PMTUD support" is already under the roadmap of the product management team, unfortunately, we do not have any ETA details on this for now. If I get an update on the ETA or Fix version (Firmware version) I will share the details here.

SFOS v21 was just released, does this fix the issue?

Hi John Splawn  No SFOS v21 not covering PMTUD support with DPI. Work is in progress!