Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Proxy

Daniel Schatz

Hi,

on my UTM 9.505-4 i have the following lines all over the web-protection log:

httpproxy[4888]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1586" message="Read error on the http handler 137 (Input/output error)"

we use the Web-Protection as parent Proxy four our internal squid-cache. the web-protection has no Cache, no blocked-sites, no authentication, no request-logging and works in non-transparent mode. its basically only for AV scanning on http and https. all the Caching, site-blocking and authentication happens on the squid Proxy.

the log-entries on the UTM are accompanied with the following log-lines in squid Proxy:

kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| Detected DEAD Parent: (Sophos-utm-ip)
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| Detected REVIVED Parent: (Sophos-utm-ip)

everytime this happens, users experience great delays in web-Surfing. sites not responding and so on...it just happens for a few seconds before everything goes back to normal.

if we let squid handle all the Surfing without UTM as parent proxy the Problem is gone. so it's def an UTM issue.

squid config line for parent proxy:

cache_peer (Sophos-utm-ip) parent 8080 0 no-query no-digest default
never_direct allow all

any ideas?

best regards, daniel



This thread was automatically locked due to age.
  • 0

    just to answer my own question:

    this was coming from TeamViewer connecting to multiple ip addresses via 443 instead of using names.
    if you enabled SSL scanning this generates error log entries.
    for now we could solve this by generating an exception-list with all this IP's disabling SSL cert checks.

  • 0 in reply to Daniel Schatz

    The only time that I have seen the symptom "input/output error", it was also related to certificate problems -- sites that could not do tls1.2 when the weaker protocols were disabled for UTM https inspection.

    There are a lot of TeamViewer servers in multi countries, so it will take a while to list them all in your exceptions.

    I hope you are also using UTM to block sites with bad reputation, suspicious and below.

  • 0 in reply to DouglasFoster

    we do all the blocking with squid and squidguard, also based on categories and black/whitelists. it's basically the same as blocking on the UTM.
    it's just easier to consolidate all web based regulatories on one Proxy.
    We use AV scanning on the UTM before web-content enters the cache in squid and then stays there already scanned.

    regarding the 200+ IP's for TeamViewer data-centers (unable to maintain a consistent exception list because IPs change or get added) we looking into 2 possible ways to go. one could be to make regular-Expression based exceptions on the UTM (https://\d+(\.\d+){3}/) which disables cert-check for all IP-based SSL URLs. not pretty, but does the Job.
    a second way would be to filter based on the user-Agent, as i have read somewhere that TeamViewer uses "DynGate" as user-Agent. but can't confirm as i didnt test yet.

     

  • 0 in reply to Daniel Schatz

    You may want to upgrade.   I just noticed this bug fix in  9.506

     

    NUTM-8826 [Web] Teamviewer via Standard Mode with AD-SSO not possible since v9.502

  • 0

    Hello,

    We have exactly the same problem with Sophos UTM 9.700-5 running on SG210. All our internal users are using our internal proxy server (Squid), internal proxy is using Sophos UTM as parent proxy.  Users are unhappy, they are experiencing delays.. In squid logs we see messages like:

    2019/11/25 12:59:47 kid1| TCP connection to UTM_IP:PORT failed

    2019/11/25 12:59:17 kid1| Detected DEAD Parent: UTM_IP
    2019/11/25 12:59:17 kid1| Detected REVIVED Parent: UTM_IP

    Any ideas why are we experiencing those failed TCP connections and delays while browsing. Any settings to tune (sessions limit or ..?)..

    This is not a network issue.

    Thank you in advance.

  • 0

    Hello,

    we still have this Problem and Users are unable to browse the web!
    most websites take ages to open or don't open at all.
    funny enough, if you go into the browser adress line and hit enter again (request the website a second time) it usually comes up pretty quick.
    Still our squid proxy only writes in log that TCP connection to Sophos Web-Protection Port fails.
    If i restart the web-protection on the Sophos UTM it usually runs fine for a few minutes and then the problem comes back.
    If i bypass the Sophos Web-Protection our Squid-Proxy delivers every website immediatly and without any delay.
    If i use Trend-Micro Viruswall as Upstream Proxy instead of Sophos Web-Protection it runs perfectly fine.
    It's not a problem of our squid proxy or the any other network infrastructure, it cleary is a UTM Problem.
    We use SSL Scanning and Web-Protection in Standard (non transparent) Mode. UTM Version is 9.701-6

    In Sophos Web-Protection i have the following log repeating in loops:

    2020:02:28-09:41:24 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="plain_write_vector" file="epoll.c" line="1117" message="Write error on the epoll handler 902 (Broken pipe)"
    2020:02:28-09:41:54 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="plain_write_vector" file="epoll.c" line="1117" message="Write error on the epoll handler 928 (Broken pipe)"
    2020:02:28-09:42:16 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 7 bytes (HPE_INVALID_CONSTANT: invalid constant string)"
    2020:02:28-09:43:50 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1694" message="Read error on the http handler 927 (Input/output error)"
     
    2020:02:28-09:45:36 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 289 bytes (HPE_INVALID_METHOD: invalid HTTP method)"
    2020:02:28-09:45:36 asg-2 httpproxy[10846]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd9be9800" function="read_request_headers" file="request.c" line="1615" message="unable to parse a http message on handler 1118 (Success)"
     
    Is this a Bug, and if yes when will it finally be fixed? Could it be a corruption of the AV pattern files? Please help!
    Thanks in advance,
    Daniel
  • 0 in reply to Daniel Schatz

    Is Squid doing https inspection?  I suspect that Squid is concentrating all of your users onto one IP.   Depending on your workload, UTM may not be able to cope with so many connections coming from one source address.   One possibility is that UTM or SQUID may be running out of port numbers.   Another possibility is that the two proxies are creating timing problems.

    Web Proxy is the best part of UTM, so you are wasting a valuable resource.  I seriously doubt that your Squid configuration is as powerful.    But assuming that it is, why not simply turn off UTM Web Proxy?    The world is going to https.  Without https inspection, UTM cannot give you AV protection for https sites, and you are not using UTM web proxy for anything else.  

    You are using two proxies, and they do not work together very well.   After more than two years, you are still living with bad performance rather than changing your architecture?   

     

  • 0 in reply to Daniel Schatz

    What does Sophos Support say about this, Daniel?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to DouglasFoster

    hi,

    thanks for your Reply.
    the Proxy Sandwich worked OK until a recent update, it just recently started to get that slow.

    Our Squid does not inspect https, it's configured with a big Cache, does AD Authentication and several black/whitelists.
    The Sophos Web-Proxy has Cache, logging and filtering disabled and is only used for https and http AV Inspection.
    This should ensure that only AV-scanned Content is transfered to the big Cache of the squid Proxy.
    As we use lots of VPN and NAT we wanted to reduce the Performance Overhead with the Sophos Proxy. we also like some other Benefits of squid.

    using squid alone (without Sophos) is Lightning fast.
    using the Sophos web-Proxy alone (with Cache and filtering but no av-scanning to have same Situation as with squid) is OK but slower then squid.
    i see no reason why we should change Architecture.

    we did not yet open a support ticket as i just wanted to check with your Forum first.


    Thanks and greetings

Unfiltered HTML