This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Devices on ethernet VLAN interface having trouble with web sites timing out

Sorry for the long post - trying to be thorough.

I’m having what seems to me to be a strange problem, hopefully I am overlooking something simple.  I have a small office where the regular office users can browse the web with no problem, but the guest network I set up is erratic.   Some web sites will open OK, others time out before they will open.  For example, amazon.com opens no problem, weather.com won’t open, but this happens only for devices on VLAN 7 (personal phones and laptops via wireless, a couple of wired desktop computers).  Joining the same devices to the regular network on VLAN 1, no problems.

For hosts that connect on VLAN 7, either through the wireless guest network or through physical ports on the switch, DHCP works correctly – they get IP addresses, gateway and DNS from Sophos SG115 on correct guest subnet.

For hosts that connect on VLAN 1, either through wireless or through physical switch ports, DHCP works correctly, getting DHCP info from Windows DHCP server on the InternalLAN subnet.

I should mention that I have this same setup in two other offices and it seems to work okay, the only difference being they have Sophos SG 125 devices and Dell 2848 switches.   I’ve gone over the configurations comparing the Sophos settings in these offices to the problem office and can’t see any differences.

At the risk of too much information, one other quirk, maybe related.  I have UTM to UTM RED tunnels set up from the main office to each of the remote offices.  In the “good” offices, I can log in to the switch’s web interface from the main office through the RED tunnel, no problem.  In the “bad” office, I can open the web interface on the remote switch, but I can’t log in – I get “user name or password is missing”.  I can remote to a local workstation and log in to it no problem. Doesn’t matter what browser is being used.

I have looked through the firewall, web filtering and intrusion prevention log files and don’t see anything noteworthy.  I actually don’t see any traffic in the firewall log from the 10.10.1.0 network.

 

Thanks for any help or ideas. 

 

My setup:

 

Sophos SG 115 with UTM 9.414002

            Eth0 internal LAN Static 192.168.40.1/24, no gateway

            Eth1 WAN static IP from ISP, has default gateway

            Guest VLAN – Ethernet VLAN on eth0, VLAN tag 7, IP 10.10.1.1/24, no gateway

 

            DHCP server on Guest VLAN interface

                        Pool 10.10.1.100 to 10.10.1.199

                        DNS 8.8.4.4; 8.8.8.8

                        Default Gateway: 10.10.1.1 (Guest VLAN Interface)

 

            Firewall rules:

                        Deny Any: Source Guest VLAN (Network), Destination Internal (Network)

                        Allow Any: Source Internal (Network); Guest VLAN (Network), Destination Any

Allow DNS: Source Any – Destination Any

 

            NAT Masquerading Rules:

                        Internal (Network) > WAN

                        Guest VLAN (Network) > WAN

 

            Web Filtering

                        Default Web Filter

                                    Allowed Networks

Guest VLAN (Network)

Internal (Network)

                                    Operation Mode: Transparent Mode

                                    Default Authentication: none

                                    Enable device specific authentication:

                                                Android: none

                                                iOS: none

                                                Kindle: none

                                                Windows: None

HTTPS: URL filtering only, unchecked “Do not proxy HTTPS traffic in transparent mode.

           

 

Switch: Dell 2724

            Native VLAN 1

            Port 1 (Sophos SG 115): PVID 1, Frame type Admit All VLAN 1 Untagged, VLAN 7 Tagged

            Port 19 (Cisco WAP): PVID 1, Frame type Admit All VLAN 1 Untagged, VLAN 7 Tagged

Ports 20 to 24 (Wired Guests): PVID 7, Frame type Admit All, VLAN 7 Tagged (Not a member of VLAN 1)

 

 

Wireless:

            Cisco Wireless LAN Controller in Main Office

            Access Point: Cisco AIR-LAP1141N, AP Mode FlexConnect, Native VLAN 1,

VLAN Mapping: GuestVLAN vlan 7, InternalLAN VLAN 1

            Wireless Networks:

                        InternalLAN

                                    Interface: management (port 1) native vlan 1

FlexConnect local switching enabled

FlexConnect local Authentication enabled

 

                        GuestVLAN

                                    Interface GuestVLAN7, VLAN identifier 7

FlexConnect local switching enabled

FlexConnect local Authentication enabled    



This thread was automatically locked due to age.
  • How do you know the site times out - have you checked the Web Filtering log to see what appears on a failed access?  Should I move this thread to the Web Protection forum?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I probably won't be back to that office for a while unless something else comes up, so it's hard to test from here.  When I was there last, when a web site failed to open there was a Sophos message in the browser that the remote server didn't respond or timed out.  Don't remember the exact wording.  The only information I could find in the logs at the time were that a site failed to respond and timed out.  

    I'm installing a Sophos SG115 at another small office today with the same setup, so I'll see if I run into the same problem or not.  If so it'll be a lot easier for me to troubleshoot since it is nearby, whereas the other office is an hour's drive from here.

    I don't know if this should be in the Web Protection forum since I don't know if it is a web filtering issue or not. Removing the guestvlan network from web filtering didn't make any difference.

     

    Ralph

  • I just finished setting up the network in the new office and everything is working exactly as I would expect, so I am going to have to go over the configuration at the other office again and try to find what is different there.

  • I bet if you look in the Web Filtering log, you will see statuscode="50." where the access failed.  The first thing to try is to make an exception for Antivirus for that site.  If that doesn't work, you will need to skip the Proxy for that site.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'll take a look for that, thanks.