random web sites not loading (UTM home)

Question

Hi all,

I'm using the Sophos UTM in home edition mode on dedicated hardware (2GB RAM, Core2Duo CPU, 120GB SSD, APC UPS). It has been running fantastic for years, but in the last few weeks we've begun having trouble browsing the web. Random sites simply won't load, giving a "timed out" error most often. Repeatable sites experiencing this issue include:

* www.usbank.com
* www.wellsfargo.com
* avatars and images while using the Twitter mobile app (images load if I use cellular, get the grey boxes if I go through the wifi protected by UTM)

Occasionally, the Wells Fargo page will partially load (see attachment). I suspect it might be the content that is available via HTTP rather than HTTPS, but not sure.

I have tried multiple browsers, multiple machines and multiple platforms behind the UTM, all with the same effects. The list of sites appears to be growing; at first only US Bank was unreachable, but I could still get to Wells Fargo fine. Then a week later all the sudden I couldn't reach Wells Fargo either. I have tried disabling the following, all to no effect:

* IPS
* Web Filtering
* Application Control
* IPv6 tunnel broker

The requests to the broken web site addresses do show up in the firewall logs as allowed. I cannot seem to locate the target IPs in any other logs. (Side note: this is why it is so frustrating for me to not have a unified log search in the UTM.) I suspect there is something else that is trying to inspect HTTPS or inspect certificates that is malfunctioning or interfering.

Other history, not sure whether related: Around the time I started noticing the issue, I also renumbered an IPv6 subnet internally. I tried assigning the old subnet to a different internal interface (vlan) but ended up adding the old gateway address as an Additional Address of the interface where it came from in the first place. (I didn't notice the IPv6 renumbering functionality provided by the UTM at the time.) But I'm quite certain I have flushed caches and am getting new IPv6 addresses from the proper DHCP6 pool.

I'm out of ideas on where to look next. I searched the boards but couldn't find anything recent that was close. Has anyone else seen this issue and resolved it? Does anyone else have any ideas on how to go about troubleshooting this further?

I am a technical user with a solid networking foundation, but not so proficient in Linux. I would love to understand what the root cause is here.

This thread was automatically locked due to age.

William Warren · Answer

I've found that this issue is in fact due to the Sophos UTM. I started taking notes as to which sites this was happening to, and capturing tracert info each time. The latest one was secure2.sophos.com, where the tracert completed successfully. That was a deviation from the previous pattern.   I noticed it was also using HTTPS, so I booted the UTM box off of a pfSense LiveCD on a hunch. Turns out the same sites that weren't working under the UTM work fine from pfSense under the same routing conditions through the same hardware. So my UTM is performing some sort of HTTPS inspection still even though I had all of that turned off.  Can someone point me in the right direction here? I would rather use the UTM for the reporting capabilities, but I cannot be without this many web sites.  int he web filtering section make sure you make the http filtering http only and not transparent scanning of https...or use the https by url only do it doesn't try to intercept the https traffic. Also I'e had issues with UTM and ipv6 so i turn ipv6 off.