This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF errors

Hi.

My mail profile in WAF - "Site Path Routing" and "Virtual Webservers", shows yellow dot instead of green.
All other profiles look OK, and my cellphone syncing with my mail server seems to works fine.
Also, I'm keeping on getting the following errors in my WAF log:

2013:06:29-13:27:14 myfw reverseproxy: srcip="xx.***.80.237" localip="***.***.***.***" size="434" user="-" host="xx.***.80.237" method="POST" statuscode="502" reason="-" extra="-" time="1054524" url="/Microsoft-Server-ActiveSync" server="mail.domain.com" referer="-" cookie="-" set-cookie="-"
2013:06:29-13:27:15 myfw reverseproxy: [Sat Jun 29 13:27:15.062104 2013] [proxy_http:error] [pid 32525:tid 3760040816] (70014)End of file found: [client 46.19.80.237:26000] AH01102: error reading status line from remote server 10.9.0.100:443
2013:06:29-13:27:15 myfw reverseproxy: [Sat Jun 29 13:27:15.062150 2013] [proxy:error] [pid 32525:tid 3760040816] [client xx.***.80.237:26000] AH00898: Error reading from remote server returned by /Microsoft-Server-ActiveSync

Any idea why?
[:S]

This thread was automatically locked due to age.

Parents

0 BAlfson over 10 years ago

Hi, uchihanorman, and welcome to the User BB!

Until I was aware of your issue, I hadn't realized that the yellow dot had an effect on the behavior of the WAF.  I assumed that it had to do with one of the conntrack timeouts, and a little experimentation showed that it does.  I thought it might be ip_conntrack_icmp_timeout, but its default is 600 and ping times to our external server were less than 80ms.

Then, I tried using Ulrich Weber's tip from 2011-10-18:
cc set packetfilter timeouts ip_conntrack_udp_timeout 90

and that immediately caused the dot to become green.

I then set it back to the default, 30, but the dot stayed green, and it stayed green even when I disabled and then re-enabled WAF.  To complete the experiment, I rebooted.  When WebAdmin came back up, the dot was yellow again.

So, I suspect that you can determine the max timeout you need from a ping to each of the servers and then set accordingly.  Since this is done with cc, the change will survive Up2Dates and reboots.

Cheers - Bob
PS You didn't mention it, but I assume you have selected "Sticky sessions" in "Site-Path Routing'.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 10 years ago

Hi, uchihanorman, and welcome to the User BB!

Until I was aware of your issue, I hadn't realized that the yellow dot had an effect on the behavior of the WAF.  I assumed that it had to do with one of the conntrack timeouts, and a little experimentation showed that it does.  I thought it might be ip_conntrack_icmp_timeout, but its default is 600 and ping times to our external server were less than 80ms.

Then, I tried using Ulrich Weber's tip from 2011-10-18:
cc set packetfilter timeouts ip_conntrack_udp_timeout 90

and that immediately caused the dot to become green.

I then set it back to the default, 30, but the dot stayed green, and it stayed green even when I disabled and then re-enabled WAF.  To complete the experiment, I rebooted.  When WebAdmin came back up, the dot was yellow again.

So, I suspect that you can determine the max timeout you need from a ping to each of the servers and then set accordingly.  Since this is done with cc, the change will survive Up2Dates and reboots.

Cheers - Bob
PS You didn't mention it, but I assume you have selected "Sticky sessions" in "Site-Path Routing'.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data