This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Random websites stop loading - DNS ??

I've been fighting an issue for months where random websites stop loading with  ERR_CONNECTION_ABORTED or ERR_CONNECTION_RESET

When this occurs, all other sites function fine.

I've turned off almost every feature on the UTM9 without resolution.

My UTM 9 Version is 9.4.10-6

My Memory utilization is averaging 42.06%

My CPU averages 1.19%

I've turned off Intrusion Prevention and Web Filtering 

I've followed the DNS Best Practices guide here:

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/32566/solved-dns-best-practice

I can open nslookup and lookup the sites just fine. 

I have even enabled ECN support

I have the same condition on every computer on my network when it occurs. 

I have pointed my machine directly to Google's DNS and OpenDNS without resolution

The only evidence I've found in the logs are the entries below and these are the.

DNS Proxy Log:

/var/log/named.log:2017:02:14-20:13:54 firewall named[4333]: network unreachable resolving 'www.linkedin.com/A/IN': 8.8.4.4#53
/var/log/named.log:2017:02:14-20:13:54 firewall named[4333]: network unreachable resolving 'www.linkedin.com/A/IN': 202.12.27.33#53
/var/log/named.log:2017:02:14-20:13:54 firewall named[4333]: network unreachable resolving 'www.linkedin.com/A/IN': 199.7.83.42#53
/var/log/named.log:2017:02:14-20:13:54 firewall named[4333]: network unreachable resolving 'www.linkedin.com/A/IN': 199.7.91.13#53
/var/log/named.log:2017:02:14-20:13:54 firewall named[4333]: network unreachable resolving 'www.linkedin.com/A/IN': 193.0.14.129#53
/var/log/named.log:2017:02:14-20:13:54 firewall named[4333]: network unreachable resolving 'www.linkedin.com/A/IN': 192.33.4.12#53

The only other error I have found is in the Kernel log which I don't think would affect this:

2017:02:14-20:13:52 firewall kernel: [197707.820310] e1000e 0000:00:19.0 eth2: Reset adapter unexpectedly

What else do I try to resolve this problem?

I have attached my DNS Proxy Log. It looks strange.

Please advise.

Ed

 

UTM9DNS.txt



This thread was automatically locked due to age.
  • I followed that recommendation from this site: https://networkguy.de/?p=577

    The friendly names and connections followed as well. 

    Anyway, that's fixed.

    the ORIGINAL problem where sites don't load with one of these errors below still occurs:

    ERR_CONNECTION_ABORTED or ERR_CONNECTION_RESET

    Ed

  • Hi Ed,

    Does restarting the named services help, try:

    /var/mdw/scripts/named restart

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Bob, wanted to follow up. The problem I have is still occurring. I don't know what to do next. I really have no evidence in logs to point me in a direction that makes sense.

     

    Any other thoughts?

    Ed

  • I think I would blame this on something other than the settings in WebAdmin.  Maybe your hardware, maybe the ISP's modem, maybe your ISP's other settings/hardware.  Sometimes, I have to reboot the modem and the UTM at home to get DNS going again.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

     

    I'm still having issues here :( I've rebuilt my firewall, replaced nic's. There is something in my settings that I'm not finding. I beleive I've followed all the rulz but something I'm missing. 

     

    Currently, this problem seems related to mostly google services. Here is an example below. This is a simple attempt to upload a video to youtube. the site works but the upload fails. I have https allowed.

    2017:05:25-21:50:59 tonka ulogd[10326]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth3" srcmac="00:16:41:ee:6d:7c" dstmac="00:1e:2a:c8:e6:e9" srcip="192.168.0.178" dstip="172.217.6.1" proto="17" length="1378" tos="0x00" prec="0x00" ttl="127" srcport="57976" dstport="443" 
    2017:05:25-21:50:59 tonka ulogd[10326]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth3" srcmac="00:16:41:ee:6d:7c" dstmac="00:1e:2a:c8:e6:e9" srcip="192.168.0.178" dstip="172.217.6.13" proto="17" length="1378" tos="0x00" prec="0x00" ttl="127" srcport="57974" dstport="443"

    Totally stumped!

    EddieRock
  • Drop from fwrule="60002", the Packetfilter logfiles on the Sophos UTM should give you more information.

    Any helps?

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • yes, 60001 did help. Thanks!

    For some reason, outbound 443 traffic is using UDP. Ugh! I fixed that rule. It must not be https?

    I thought that would fix the problems I'm having with logging into Google / Youtube services. I still get a connection reset (ERR_CONNECTION_RESET). This is typically with Google. I also see it with IMGUR as well.

     

    Any guidance with this problem and would be helpful. This is my final issue that I've been battling for many many months. 

  • Without seeing the log line (from the log file, not the Live Log line!), it's difficult to say more.

    Google speeds up HTTPS by using UDP 443 with Chrome and its servers if it's not blocked.  That would mean that the traffic would not be handled by the Transparent Proxy, but could be by a Web Filtering Profile in Standard mode.  If UDP 443 is blocked, Chrome<-->Google falls back to TCP 443.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have had random website failures ranging from accounts.google.com to wellsfargo.com authentication. Nobody couldn't upload youtube videos. 

    After reading this post, I checked my Web Protection >> Web Filtering >> Operation Mode. This was set to Transparent Mode. I changed it to Standard Mode and applied the settings. Once this was done, all my https settings were solved. I re-checked my Operation Mode and for some reason, it was set back to Transparent Mode but now all is working fine still.

    I have posted on this issue months ago and so far (UNTIL TODAY), all my login "ERR_CONNECTION_RESET" or ERR_CONNECTION_ABORTED have NOT been solved.

    There seems to be a problem with this setting as it's set exactly the way it was before but now works.

    I've searched all my logs, reinstalled, restored, replaced NIC's, Switches and modem's without any resolutions. 

    Member BAlfson has been lots of help but until now, I have never been able to fix this.

     

    Good luck others that have run into this issue. I almost gave up on the product but I felt that I would eventually figure it out.

    Yah!!!

    I'll follow up if things change,

    EddieRock