This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.509-3 - Webpage Timeouts in Chrome after upgrade 9.509-3 in transparent mode

Hi

Since upgrading to 9.509-3 I have been having difficulties with random websites (amazon, scan.co.uk and others)  timing out when using Google chrome. I've inspected the logs and cannot see any issues at all. I've cleared the cookies/cache, re-installed the browser but now exhausted my options. I am in no doubt the problem lies directly with chrome as the websites have no issues in Firefox, Internet Explorer, Edge.

My setup is;

SG-210 in Transparent mode with SSO and STAS configured

When the pages time out, the following is displayed;

This error is completely random and doesn't appear on other UTMs using older firmware. It seems to break for random websites whilst still allowing me to browse others. Everything was working fine up until the upgrade.

Any ideas would be appreciated

Thanks



This thread was automatically locked due to age.
Parents
  • Because it has not been mentioned:

    For completeness, you need to check the Application Control log and Intrusion Protection System logs.   One would expect these to drop consistently, not intermittently, so you will probably find nothing relevant.    When these functions activate, they drop the packet, and the browser will wait before declaring a timeout.   The browser timeout entry can be up to two minutes after the IPS entry.

    The problem is more likely to be here:

    Since the problem only affects Chrome, it is probably related to Chrome's QUIC protocol, which uses UDP 443 to make https run faster.  This is my understanding of the interaction between QUIC and UTM

    • By default, UDP 443 bypasses the web proxies and is handled by firewall rules, where outbound traffic probably has an allow-all rule, so it is allowed.
    • Bob Alfson says that if you configure UDP 443 in the web proxy additional ports list, it can be handled by Transparent Mode Web Proxy.   In the absence of a statement from Sophos that they routinely test to ensure correct QUIC operation through the proxy, I am reluctant to try this, and I favor Standard Mode proxy.
    • QUIC will bypass standard mode proxy


    You have not said which of these configurations is active in your situation.   That detail may be important.

    I recommend blocking UDP 443 at the firewall, which will disable QUIC.   See if the problem goes away, and report back.

Reply
  • Because it has not been mentioned:

    For completeness, you need to check the Application Control log and Intrusion Protection System logs.   One would expect these to drop consistently, not intermittently, so you will probably find nothing relevant.    When these functions activate, they drop the packet, and the browser will wait before declaring a timeout.   The browser timeout entry can be up to two minutes after the IPS entry.

    The problem is more likely to be here:

    Since the problem only affects Chrome, it is probably related to Chrome's QUIC protocol, which uses UDP 443 to make https run faster.  This is my understanding of the interaction between QUIC and UTM

    • By default, UDP 443 bypasses the web proxies and is handled by firewall rules, where outbound traffic probably has an allow-all rule, so it is allowed.
    • Bob Alfson says that if you configure UDP 443 in the web proxy additional ports list, it can be handled by Transparent Mode Web Proxy.   In the absence of a statement from Sophos that they routinely test to ensure correct QUIC operation through the proxy, I am reluctant to try this, and I favor Standard Mode proxy.
    • QUIC will bypass standard mode proxy


    You have not said which of these configurations is active in your situation.   That detail may be important.

    I recommend blocking UDP 443 at the firewall, which will disable QUIC.   See if the problem goes away, and report back.

Children