Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 34822 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

random web sites not loading (UTM home)

pendiang
Hi all,

I'm using the Sophos UTM in home edition mode on dedicated hardware (2GB RAM, Core2Duo CPU, 120GB SSD, APC UPS). It has been running fantastic for years, but in the last few weeks we've begun having trouble browsing the web. Random sites simply won't load, giving a "timed out" error most often. Repeatable sites experiencing this issue include:

* www.usbank.com
* www.wellsfargo.com
* avatars and images while using the Twitter mobile app (images load if I use cellular, get the grey boxes if I go through the wifi protected by UTM)

Occasionally, the Wells Fargo page will partially load (see attachment). I suspect it might be the content that is available via HTTP rather than HTTPS, but not sure. 

I have tried multiple browsers, multiple machines and multiple platforms behind the UTM, all with the same effects. The list of sites appears to be growing; at first only US Bank was unreachable, but I could still get to Wells Fargo fine. Then a week later all the sudden I couldn't reach Wells Fargo either. I have tried disabling the following, all to no effect:

* IPS
* Web Filtering
* Application Control
* IPv6 tunnel broker

The requests to the broken web site addresses do show up in the firewall logs as allowed. I cannot seem to locate the target IPs in any other logs. (Side note: this is why it is so frustrating for me to not have a unified log search in the UTM.) I suspect there is something else that is trying to inspect HTTPS or inspect certificates that is malfunctioning or interfering. 

Other history, not sure whether related: Around the time I started noticing the issue, I also renumbered an IPv6 subnet internally. I tried assigning the old subnet to a different internal interface (vlan) but ended up adding the old gateway address as an Additional Address of the interface where it came from in the first place. (I didn't notice the IPv6 renumbering functionality provided by the UTM at the time.) But I'm quite certain I have flushed caches and am getting new IPv6 addresses from the proper DHCP6 pool.

I'm out of ideas on where to look next. I searched the boards but couldn't find anything recent that was close. Has anyone else seen this issue and resolved it? Does anyone else have any ideas on how to go about troubleshooting this further? 

I am a technical user with a solid networking foundation, but not so proficient in Linux. I would love to understand what the root cause is here.


This thread was automatically locked due to age.
Parents
  • 0
    I've found that this issue is in fact due to the Sophos UTM. I started taking notes as to which sites this was happening to, and capturing tracert info each time. The latest one was secure2.sophos.com, where the tracert completed successfully. That was a deviation from the previous pattern. 

    I noticed it was also using HTTPS, so I booted the UTM box off of a pfSense LiveCD on a hunch. Turns out the same sites that weren't working under the UTM work fine from pfSense under the same routing conditions through the same hardware. So my UTM is performing some sort of HTTPS inspection still even though I had all of that turned off.

    Can someone point me in the right direction here? I would rather use the UTM for the reporting capabilities, but I cannot be without this many web sites.
  • +1 in reply to pendiang
    I've found that this issue is in fact due to the Sophos UTM. I started taking notes as to which sites this was happening to, and capturing tracert info each time. The latest one was secure2.sophos.com, where the tracert completed successfully. That was a deviation from the previous pattern. 

    I noticed it was also using HTTPS, so I booted the UTM box off of a pfSense LiveCD on a hunch. Turns out the same sites that weren't working under the UTM work fine from pfSense under the same routing conditions through the same hardware. So my UTM is performing some sort of HTTPS inspection still even though I had all of that turned off.

    Can someone point me in the right direction here? I would rather use the UTM for the reporting capabilities, but I cannot be without this many web sites.

    int he web filtering section make sure you make the http filtering http only and not transparent scanning of https...or use the https by url only do it doesn't try to intercept the https traffic.  Also I'e had issues with UTM and ipv6 so i turn ipv6 off.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Reply
  • +1 in reply to pendiang
    I've found that this issue is in fact due to the Sophos UTM. I started taking notes as to which sites this was happening to, and capturing tracert info each time. The latest one was secure2.sophos.com, where the tracert completed successfully. That was a deviation from the previous pattern. 

    I noticed it was also using HTTPS, so I booted the UTM box off of a pfSense LiveCD on a hunch. Turns out the same sites that weren't working under the UTM work fine from pfSense under the same routing conditions through the same hardware. So my UTM is performing some sort of HTTPS inspection still even though I had all of that turned off.

    Can someone point me in the right direction here? I would rather use the UTM for the reporting capabilities, but I cannot be without this many web sites.

    int he web filtering section make sure you make the http filtering http only and not transparent scanning of https...or use the https by url only do it doesn't try to intercept the https traffic.  Also I'e had issues with UTM and ipv6 so i turn ipv6 off.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Children
  • 0 in reply to William Warren

    I have had random website failures ranging from accounts.google.com to wellsfargo.com authentication. Nobody couldn't upload youtube videos. 

    After reading this post, I checked my Web Protection >> Web Filtering >> Operation Mode. This was set to Transparent Mode. I changed it to Standard Mode and applied the settings. Once this was done, all my https settings were solved. I re-checked my Operation Mode and for some reason, it was set back to Transparent Mode but now all is working fine still.

    I have posted on this issue months ago and so far (UNTIL TODAY), all my login "ERR_CONNECTION_RESET" or ERR_CONNECTION_ABORTED have NOT been solved.

    ** after a few hours, I've also noticed that web browsing is about 10x faster! seems like all the dns requests are working now!!

    There seems to be a problem with this setting as it's set exactly the way it was before but now works.

    I've searched all my logs, reinstalled, restored, replaced NIC's, Switches and modem's without any resolutions. 

    Member BAlfson has been lots of help but until now, I have never been able to fix this.

    Here is one of my posts:

    https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/87728/random-websites-stop-loading---dns/

    I'll cross post on my original post as well. 

    Good luck others that have run into this issue. I almost gave up on the product but I felt that I would eventually figure it out.

    Yah!!!

    I'll follow up if things change,

    EddieRock

Unfiltered HTML