Thread Info
  • State Not Answered
  • Replies 25 replies
  • Subscribers 10 subscribers
  • Views 13098 views
  • Users 0 members are here
Options
Suggested

Internet becomes unresponsive after several days?

shred

This is the second time this has occurred since using v18 EAP. I've also had this issue occur a couple times when running v17 but it wasn't as frequent. With v18 EAP, after Sophos XG has been running for several days (over a week), sometimes the internet becomes unresponsive as in I can't access anything. For example, if I try to access a website, it just continues trying to load and eventually times out. At first, I thought it was an ISP issue so I would reset my cable modem but that didn't fix the issue. I can still access devices on my local network just fine, such as the Sophos XG web UI. What I did notice in the web UI is the "Sessions" count under System in the Control Center indicates a very high number when I'm having these issues. It seems to fluctuate from ~800 up to 2.5k. I have about 30-40 devices on my network (one computer, mobile devices, smart home devices, etc.). Typically, my Sessions count is somewhere around 20-50. After restarting Sophos XG, the count goes back down to what I normally see and everything works fine.

Anyone else experiencing similar issues? Is there any specific log I can save when this issue occurs? Unfortunately, I'm running this on my home network so I can't just leave it in an unusable state.

  • 0 in reply to Rana Sharma

    I'm experiencing the issue again, but I'm not sure what you want me to capture with tcpdump. When I run it in the Sophos console, it's just a continuous stream of:

     

    13:09:10.513375 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59003864:59004036, ack 33013, win 317, length 172

    13:09:10.513398 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59004036:59004208, ack 33013, win 317, length 172

    13:09:10.513417 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59004208:59004380, ack 33013, win 317, length 172

    13:09:10.513440 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59004380:59004552, ack 33013, win 317, length 172

    13:09:10.513459 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59004552:59004724, ack 33013, win 317, length 172

    13:09:10.513482 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59004724:59004896, ack 33013, win 317, length 172

    13:09:10.513500 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59004896:59005068, ack 33013, win 317, length 172

    13:09:10.513523 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59005068:59005240, ack 33013, win 317, length 172

    13:09:10.513541 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59005240:59005412, ack 33013, win 317, length 172

    13:09:10.513565 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59005412:59005584, ack 33013, win 317, length 172

    13:09:10.513583 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59005584:59005756, ack 33013, win 317, length 172

    13:09:10.513606 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59005756:59005928, ack 33013, win 317, length 172

    13:09:10.513623 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59005928:59006100, ack 33013, win 317, length 172

    13:09:10.513647 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59006100:59006272, ack 33013, win 317, length 172

    13:09:10.513665 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59006272:59006444, ack 33013, win 317, length 172

    13:09:10.513688 Port1, OUT: IP 172.16.16.16.22 > 172.16.16.34.52058: Flags [P.], seq 59006444:59006616, ack 33013, win 317, length 172

     

    172.16.16.16 is my Sophos XG device, 172.16.16.34 is my computer that I'm running tcpdump from. When I try it from another computer, it's the same thing except the destination address is the IP address of that device. I'm guessing this is not what you're looking for, but I'm not sure what tcpdump parameters to use to collect for troubleshooting.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • 0

    Hi  

    Thanks for feedback.

    Please find the below KB article which helps to do tcpdump or monitor the packets.

    Please get back to us when you are facing the issue so we can check at the same time

     

    Thanks,

    Rana Sharma

  • 0 in reply to LuCar Toni

    Ah, makes sense. I’ll try to get a tcpdump next time. I’m not too familiar with using tcpdump - is there any specific parameters I should run tcpdump with to capture what is needed to troubleshoot this particular issue?

    My ISP is Cox (U.S.), which is a cable internet service (1Gb down/35Mbps up). I have my Sophos XG device connected directly to a Motorola cable model I own.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • 0 in reply to rfcat_vk

    Such issues with multiple sessions could be caused still by WAN ISP. 

    If your client cannot connect properly, he will access multiple times, all the times, and XG will hold those sessions. 

    Without a Dump, it is hard to tell, what is going on. 

     

    If this issue appears, could you take a look at the tcpdump? 

    Which Provider / box do you use? Something on this box? 

     

    I found an issue with my Unitymedia box in Germany. This ISP box did some similar issues. Actually it responded to all DNS request with his own IP. So Google was 192.168.1.1 etc. All my clients started to connect to this unitymedia box. 

    This issue came up couple of times and stopped after some weeks. 

    __________________________________________________________________________________________________________________

  • 0

    Hi Shred,

    have you tried editing the WAN interface, but not making any changes then saving?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML