This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Timed out Conecction

Hi everyone

Im getting a timed out response from a specific web site, we know is not an UTM issue but we need to avoid the UTM show the template with the "Timeout during conection to server " or an "Connection Timed Out" or "Timeout while reading response from Server" or "connection reset by peer" only in that web because we know that server takes a long time for give a respon and thats the way it is so its ok for us, we know it is maybe not the best practice but doesnt matter for us, is not our server

the web page is http://www.pace.sep.gob.mx and this one is redirecting (dont know why) to a http://www.acuerdo286.sep.gob.mx/acuerdo286 and then go back to http://www.pace.sep.gob.mx We dont know why is working in that way, but it is what it is

Of course both webs are setting in the Filtering options / exceptions with all the checks marked so is entirely skiping the filters and blocks, we also use the Skip Transparent Mode Destination Hosts/Nets all that but didnt work

the only way for make it work was put the users pc´s in the Skip Transparent Mode Source Hosts/Nets , that is working fine, so Ill realy precciate if some one could help us for reach that goal whitout use the skip list

thank for any help.



This thread was automatically locked due to age.
  • Hola Luis,

    Can you find a line in the Web Filtering log where an access related to this is "blocked?"

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • this is what we get in Web Filtering Log

    2018:06:20-15:55:55 firewall_sophos_utm_95 httpproxy[27704]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="504" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="2645" request="0xd8690400" url="fcmoodle.televisioneducativa.gob.mx/.../index.php" referer="" error="Timeout while reading response from Server" authtime="0" dnstime="6834" cattime="64136" avscantime="0" fullreqtime="60303038" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military"

     
    2018:06:20-15:56:56 firewall_sophos_utm_95 httpproxy[27704]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="504" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="2634" request="0xce0fec00" url="fcmoodle.televisioneducativa.gob.mx/favicon.ico" referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="Timeout while reading response from Server" authtime="0" dnstime="267" cattime="135" avscantime="0" fullreqtime="60779063" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36
    OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military"
     
    2018:06:20-15:56:56 firewall_sophos_utm_95 httpproxy[27704]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="504" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="2634" request="0xce0fec00" url="fcmoodle.televisioneducativa.gob.mx/favicon.ico" referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="Timeout while reading response from Server" authtime="0" dnstime="267" cattime="135" avscantime="0" fullreqtime="60779063" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military"
     
    no matter if we are using opera, chrome, iexplorer, firefox or edge, its the same result !, and i totally forgot something important in the first post, some times it works, but its not often, and it's really slowly

    when is working the result is like this
     
     
    2018:06:20-15:59:55 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="7345" request="0xd7de1600" url="fcmoodle.televisioneducativa.gob.mx/.../index.php" referer="" error="" authtime="0" dnstime="31696" cattime="148" avscantime="0" fullreqtime="17398134" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="text/html"
     
    2018:06:20-16:00:08 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="1035" request="0xd5d47800" url="fcmoodle.televisioneducativa.gob.mx/.../yui_combo.php referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="" authtime="0" dnstime="2003" cattime="4647" avscantime="0" fullreqtime="13262003" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="text/css"
     
    2018:06:20-16:00:08 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="6748" request="0xcf25a000" url="fcmoodle.televisioneducativa.gob.mx/.../javascript-static.js" referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="" authtime="0" dnstime="185" cattime="151" avscantime="0" fullreqtime="13509988" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="application/javascript"
     
    2018:06:20-16:00:09 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="168803" request="0xcf25ac00" url="fcmoodle.televisioneducativa.gob.mx/.../yui_combo.php referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="" authtime="0" dnstime="433" cattime="878" avscantime="0" fullreqtime="13799420" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="application/javascript"
     
    2018:06:20-16:00:09 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="6538" request="0xcf25a000" url="fcmoodle.televisioneducativa.gob.mx/.../require.min.js" referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="" authtime="0" dnstime="1" cattime="278" avscantime="0" fullreqtime="354122" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="application/javascript"
     
    2018:06:20-16:00:09 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="223321" request="0xd50bf200" url="fcmoodle.televisioneducativa.gob.mx/.../all" referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="" authtime="0" dnstime="168" cattime="155" avscantime="0" fullreqtime="13889975" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="text/css"
     
    2018:06:20-16:00:09 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="65108" request="0xcf25a000" url="fcmoodle.televisioneducativa.gob.mx/.../logo2.png" referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="" authtime="0" dnstime="0" cattime="269" avscantime="0" fullreqtime="251256" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="image/png"
     
    2018:06:20-16:00:09 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="6355" request="0xd5d47800" url="fcmoodle.televisioneducativa.gob.mx/.../users_add.png" referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="" authtime="0" dnstime="0" cattime="244" avscantime="0" fullreqtime="908371" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="image/png"
     
    2018:06:20-16:00:09 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="825" request="0xd5d47800" url="fcmoodle.televisioneducativa.gob.mx/.../yui_combo.php referer="fcmoodle.televisioneducativa.gob.mx/.../index.php" error="" authtime="0" dnstime="0" cattime="1454" avscantime="0" fullreqtime="400660" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="application/javascript"
     
    2018:06:20-16:00:10 firewall_sophos_utm_95 httpproxy[27704]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.16.206" dstip="143.137.111.152" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Sistemas)" filteraction="REF_HttCffFapereyra (faSistemas)" size="77160" request="0xcf25a000" url="fcmoodle.televisioneducativa.gob.mx/.../fontawesome-webfont.woff2 referer="fcmoodle.televisioneducativa.gob.mx/.../all" error="" authtime="0" dnstime="0" cattime="605" avscantime="0" fullreqtime="539799" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99" exceptions="" category="117" reputation="trusted" categoryname="Government/Military" content-type="application/font-woff2"
     
    thanks in advance !
  • When you see statuscode="504", the first thing to try is an Exception for antivirus scanning.  If that doesn't work, you will need to skip the Proxy for the site. 

    Does making an Exception for fcmoodle.televisioneducativa.gob.mx solve the problem?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • There is no username logged.   Are you running with Authentication = None ?

    Have you checked IPS logs?   IPS blocks will cause WebFilter timeouts.

  • answer for Balfson; No, i already did the exception and doesnt work, this is the Exceptions list

           ^https?://([A-Za-z0-9.-]*\.)?\.fcmoodle\.televisioneducativa\.gob\.mx\.moodle\.login/

     

    and i recently notice i have the same problem with these, these also have a Exceptions list

          ^https?://([A-Za-z0-9.-]*\.)?\.pace\.sep\.gob\.mx\.pace\.login/
          ^https?://([A-Za-z0-9.-]*\.)?\.acuerdo286\.sep\.gob\.mx/
          ^https?://([A-Za-z0-9.-]*\.)?\.acuerdo286\.sep/

     

     both skip list have the same config.

     

     

    and question for DouglasFoster,  usually i use web filterin log and the firewall log, IPS logs ?, where can i see it? can i find it from dashboard ?

  • IPS = Intrusion Protection System.  The log files are with all of the others under Logging and Reporting... View Log files

    It monitors incoming packets for suspicious content.   Action can be drop or alert-only.   If the packet is a reply and the the action is drop, then the requesting process (web browser, DNS client, etc.) will see a timeout because the expected reply is never received.  My logs show delays of up to 2 minutes between the IPS drop event and the webfilter timeout event.

    Fortunately, the IPS logs are usually not very big, so they should be easy to review with visual inspection.

  • Try an Exception for 'Antivirus' only for

    ^https?://[A-Za-z0-9.-]*fcmoodle\.televisioneducativa\.gob\.mx

    Did that work?

    If not you will need to skip the proxy for that.  For the Transparent mode, put a DNS Group for fcmoodle.televisioneducativa.gob.mx in the Destination Skiplist.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Those URLs test safe, but I get four reputation limit blocks on this URL, which appears to be a certificate revocation check: http :// crl.pki.goog/gsr2/gsr2.crl

    However, I do get a page to load without any errors, and without any special handling.

    Is Sophos wrong, or is the school using a compromised certificate company?

  • This morning, it occurs to me that a certificate revocation check only makes sense if a sites use https, but I have not seen any evidence that your target site uses encryption.   I conclude that the site is infected, and UTM is protecting you from malware, even though your specific symptoms are different from mine.   Suggest that you contact the site owner.

  • For

     

    With ^https?://([A-Za-z0-9.-]*\.)?\.fcmoodle\.televisioneducativa\.gob\.mx  we are done, it is ok now

     

    Didn’t work what you suggest, then I used a different syntax for the skip list and neither work, then I tried something different,  I get a good result when I settled up a Download Throttling with 2048 kbit/s for each source/destination pair, and that works, right now I am using both solutions skip list and throttling but I think the solution was the Throttling

     

    so, the next is another page but it’s the same issue, Aim receiving an “error 404”, no a Sophos error page

     

    what is the difference between this ^https?://([A-Za-z0-9.-]*\.)?\.pace\.sep\.gob\.mx/Pace/login/

    and this

    ^https?://([A-Za-z0-9.-]*\.)?\.pace\.sep\.gob\.mx/

     

    why aim questioning !!, the first line works really fine, but the second did not, why if I only write (on any web browser) one part of the line like – www.pace.sep.gob.mx – doesn’t work ?, why I need to write the entire line in the skip list ? “www.pace.sep.gob/pace/login”, shouldn't work the second option ? why the UTM show a response like timed out or connection reset by peer etc. etc.

     

    so, sorry if aim going to questioning something weird or unusual, but I keep my original concern, how in the UTM can I disable those messages “timed out” , “connection reset” o even better can I edit them to a Spanish response ?

     

    let me explain, we knows it’s not our problem, it’s the way that page works, but the problem its turning into a big trouble for mi because the users only see a SOPHOS message and they don’t understand what it means so they are calling me for solve a problem which it’s something I cannot

     

    I prefer just avoid those messages in that particular list or page !by de way, where can I find a "How to" for the correct syntax in exception list ? Maybe I’m missing something with that, thanks and regards

     

    For Douglas Foster

     

    1)       IPS didnt show any trouble

    2)       What is the difference betwen work with a skip list whit all the check´s marked and only skip the antivirus protection for this page, remember the list im ussing have  the entire skip list marked

    3)       Talking just about us, we are using a good certificated. i dondt know about them !

    4)       About the infected site issue, we (and I mean a several other schooll´s not just us) contact that site and complain about but we have no response

     

    sorry for any late response, but this whole school it's in maintenance mode, and we are running like crazy people with a lot of stuff

     

    Really appreciate your help guys !