Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No Internet Access Notification

Immediately after switching over to the XG430 Firewall in our organization, users began randomly receiving the "no internet access" notification icon over their network status in the taskbar.  Upon further investigation, it appears that this is due to the NLA service in windows being unable to reach one of the three web checks it does to determine if internet access is available.  It checks to make sure it can ping two addresses and checks for a text file on a web portal hosted by Microsoft.

I can get it to go away for some users by restarting the NLA Service on their workstation, but it will come back sometimes for that user and sometimes not but will occur randomly for other users.

Been chasing our tails on this and know it is a direct result of the XG firewall deployment because the other day we installed our remote office with one and immediately it came up for a computer in that location.

Hoping some one has come across this before?

I should note that although windows says there is no internet access, web browsing does still work.



This thread was automatically locked due to age.
Parents
  • HI Steven ,

    Sorry to hear about the problem you are facing with XG appliance . I would like to help you with your issue, seems in most cases that would be an issue due to Web-filter or Application Filter policies applied. 

    Scenario:

    Since the connection status icon can only show the status for one connection it will aggregate the individual statuses and display the most limited connection. Therefore if more than one network adapter is present, but only one probe succeeds, Windows will still report “Limited Access “and indicate a Local only status. In Microsoft DirectAccess, NCSI is also used for Inside/outside determination (Outside corporate network or Inside corporate network). To do this the NCSI process tries to communicate with the I/O (Inside/Outside) server using an HTTPS query.

    Every time a network configuration event occurs (meaning that something has changed in the network configuration), the NCSI process performs several tests to identify the network’s connectivity status. The first step NCSI performs is a DNS query for www.msftncsi.com. The second step is and HTTP get request  or http://www.msftncsi.com/ncsi.txt. This file is a plain-text file and contains only the text “Microsoft NCSI.” Last it will perform a DNS query for dns.msftncsi.com. 

    Taken from reference 

    https://technet.microsoft.com/en-us/library/cc766017(v=ws.10).aspx
    https://blogs.technet.microsoft.com/networking/2012/12/20/the-network-connection-status-icon/

    Test to isolate the source of the issue . 

    • Create a Test rule with policy Allow All for both Web-filter and Application Filter for your system facing this issue . Make sure the traffic traverses through that rule .
    • If the issue persist then you may no change policy to None and restart the services . 
    • Check the Log Viewer if any of the website is denied that is used to check the status of the connection in both Web/application and IPS. 
    • If you are using HTTPS Decryption/Scanning then bypass the URL via the HTTPS exception list https://community.sophos.com/kb/en-us/123360 as the connection is HTTPS 
    • You may create a Destination based Firewall rule/ FQDN rule and allow the URL/Public Address which is positioned on the top with no Scanning and Web/application applied. For FQDN kindly refer the link https://community.sophos.com/kb/en-us/123035

    If you still face the issue , Kindly DM me your findings that would isolate the source of the issue .

    Thanks and regards
    Aditya Patel | Network andSecurity Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Thanks Aditya for the information.

    I guess part of our problem is that it happens randomly to users and is not consistent between different users.  I have a ticket open now with support and hopefully they can help us along with your recommendations of how to isolate the issue.

  • HI Stevan ,

    Could you share your Service Request so I may look into it  ? , Kindly Message me and do not post it for Public viewing. 

    Thanks and Regards 

    Aditya Patel 

    Network and Security Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi there,

    I am also experiencing this problem on my SG310.  Intermittently and among random users, windows 10 will decide that there is no internet connection, even though there is.  How did y'all ultimately solve this problem?

    Thanks,

    Pierce

  • Do you use STAS or other Authentication Services? 

    SG(UTM9) or XG(SFOS)?

    __________________________________________________________________________________________________________________

  • Uh no I don't believe so, but then I again I did not build this network.  How would using STAS break Microsoft's Network Status Connection Indicator thingy, though?

Reply Children