Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 33 replies
  • Subscribers 48 subscribers
  • Views 9184 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic inspection bug relay_invalid_traffic

l0rdraiden

Is this bug going to be fixed, or it has become a feature with a workaround?

Workaround

https://support.sophos.com/support/s/article/KB-000035989?language=en_US&c__displayLanguage=en_US#How-to-Enable-relay_invalid_traffic

BUG reason="HTTP parsing error encountered."

https://community.sophos.com/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/117316/bug---ssl-tls-inspection-seems-to-break-honeywell-smart-devices

BUG reason="HTTP pipelined request encountered."

https://community.sophos.com/xg-firewall/f/discussions/119219/bug-web-filter-blocking-random-categories



This thread was automatically locked due to age.
  • 0 in reply to Bill Roland

    To go along with Rich's comment.

    You mention looking in the TLS/SSL error log, but not any of the others.  Things like pipeline errors and http parsing errors are in the Web Filter log.  There may be other things in other logs that could also indicate a problem.
    Log Viewer, detailed view, have all components selected.  Search for the domain name.

  • 0 in reply to Michael Dunn

    Unfortunately the IPS log does not contain the domain name, because it operates on all traffic regardless of protocol. To include IPS log entries in a search when in detailed view, you'll need to search on the destination IP address, once you've identified that from the TLS or Web Filter logs.

  • 0 in reply to RichBaldry

    I searched the IPS logs, it is not being blocked by IPS.  I searched using 's method, nothing shows as error or denied or failed; according to XG, everything is fine with this traffic.  Yet Chrome reports the connection is being reset if the DPI engine is decrypting it.  Put in a TLS Exception or switch back to web proxy, and everything works fine.

    Look guys, don't get the wrong idea that I am just a disgruntled customer who has an irrational ax to grind against the DPI engine.  It sounds great on paper, it has a lot of promise, but last time I enabled it I got a panic call from our HR people who, halfway into trying to post payroll for the week, the site (a standard HTTPS site) just bombed out and they couldn't process payroll.  Turned out it was the DPI engine, didn't like a particular page from PrimePay for whatever reason.  The guidance has sort of been "well these things happen" and "make an exception when you encounters a problem" and that's just not practical advice in my opinion.  It also doesn't help when according to the logs from XG, everything should be A-OK but it clearly is not.

  • 0 in reply to Bill Roland

    Hi Bill,

    Your feedback here is definitely appreciated. Where there are genuine issues we want to track them down and fix them, for sure. Obviously, our guidance to make an exception or switch to proxy mode is geared towards helping keep our customers businesses moving when issues like this crop up, but I well aware that it can appear to mask or downplay when there are genuine problems.

    With detailed feedback we can keep digging in to these issues. We already have a number of fixes lined up for MR3, which we just soft-released and for MR4, which we hope to get out before too long.

    Regards

    Rich

  • 0 in reply to Michael Dunn

    if they are big customers I doubt they are using the webproxy. Any big customer have dedicated devices for at least 2 of this 3, SSL offloading (load balancer), web proxy, and IPS.

  • 0 in reply to RichBaldry

    I was doing a little additional testing with the DPI engine and noticed another problem; it breaks YouTube Live videos.  They work fine for a while (it varies but rarely more than 10 minutes) but eventually, you get the spinning circle stall.  Additionally the live chat just stops updating, but you may not realize it until you refresh and see the thousands of messages you missed.  XG logging of course reports no TLS/SSL errors, no firewall rule blocking, no IPS blocking, and switching back to web proxy results in all of these things just fine.

  • 0 in reply to l0rdraiden

    That's a fair argument you make, raiden, but I would argue that while the performance may not be comparable to dedicated IPS appliances and whatnot, it isn't unreasonable to expect it to least work with some degree of reliability that's better than consumer-grade.

  • 0

    This is still an issue there are too many services using http pipelined connections to ignore it.

    Official Sophos response, http pipelined is not an issue and is not supported because nobody uses it.

    Now microsoft joins to netflix and many other companies that are already using it. Maybe someday Sophos XG will block windows updates and still won't be an issue.

  • 0 in reply to l0rdraiden

    Even in my environment, there are logs with the reason "HTTP pipelined request encountered."

    URL
    http: //go.microsoft.com/fwlink/?LinkID=XXX&clcid=0xXXX
    https: //www.dell.com/TLTarget.aspx
    They all seem to be using Akamai. It may not matter.


    User Agent
    MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
    Firefox 84.0
    Safari 14.0.2

  • 0 in reply to Bill Roland

    Hi Could you please create a new Thread for this Youtube issue? 

    As far as i know, this is already tracked but i want to decouple this topic from differnet issues. 

    __________________________________________________________________________________________________________________

Unfiltered HTML