Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 38 subscribers
  • Views 778 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

packet loss when add more subnet to NAT

behrad

Hi there

I have XG135  V17.5  which I have NAT on the firewall current ,. recently we change out IP address to /29 and I add a new alias IP on current GW address in same range.

I have 4 range in organization and we want to  subnet A  NAT on main physical IP and  subnet B , C, D  NAT on Alias IP ,     i create 2 NAT Profile and separate traffic to be SNAT on different IP  (main and alias IP )

when i change the original default rule to new created  NAT MASQ address which is equal to main interface IP it is working as it should be.

I clone the current rule and add the add the source address with Subnet B ,C ,D   as soon as i save the rule the huge packet loss will start on all organization 

i  check the client IP and it is NAT based on what i planned but packet loss exist on all subnets 

as soon as i disable the second rule related to subnet B,C,D packet loss will stopped.

i did another test and on second rule start add subnet one by one , for subnet B , there is not packet loss when add subent C , D  again packet loss start and even by removing the subnet from the range packet loss still exit and just by reboot the firewall or disable the second rule it will stopped , any idea why it happened.

i check the devise load on monitoring section and there is not significant change on output graphs



This thread was automatically locked due to age.
Parents
  • 0

    Are the subnets you are talking about in the same firewall zones?
    How are you checking the packet loss? Just ping or are you noticing this as well with other protocols?

    What happens if you do run a tcpdump in parallel?

    (We see some similar effects with pinging e.g. google dns. After we disable our reds all pings go through. After switching them on again everything still works. However the error is not reproducable. We suspect some strange issues with fastpath.)

  • 0 in reply to BeEf

    Okay just seen you are using 17.5 so my remarks regarding fastpath are obsolete.
    Did not see such a behaviour on 17.5 and we switched from one to many IPs and back for the different VLANs.

    If you are not running the latest 17.5 upgrading might help ...

Reply
  • 0 in reply to BeEf

    Okay just seen you are using 17.5 so my remarks regarding fastpath are obsolete.
    Did not see such a behaviour on 17.5 and we switched from one to many IPs and back for the different VLANs.

    If you are not running the latest 17.5 upgrading might help ...

Children
  • 0 in reply to BeEf

    Hi

    thanks for your reply , all 4 subnets are in same zone (LAN ) , on second zone i doubt that it migh be specific subnet might has negative affect i added them one by one and change the order but after add the second subnet on second NAT rule relate to Alias still have packet loss , i use ping to difrrent destintion but all of them has packet loss and as soon as disable second NAT rule relted to alas packet loss will be stopped .   NAT rules are working correctly and clients go out of GW and NAT based on the define rules.

    the affect of packet loss not only ping time out , i check out the clients remotely and it getting very slow and slugish.

    exact version of firewall is   SFOS 17.5.10 MR-10     and this is very wired issue , i didnt try to to tcdump , what do you mean by disable reds.

  • 0 in reply to behrad

    You are using a very old version. There was a big security issue in the second quarter of 2020 and also Sophos recalled one release because of severe Issues in the first half of 2020 an republished this weeks later. 

    Update to the lastest Version of 17.5. first before doing further debugging.

    Forget about the REDs (Remote Ethernet Device) and the tcpdump - this could help in V18. Running a tcpdump disables the FastPath which might cause some issues (not fully investigated in our case). docs.sophos.com/.../rn_FastPath.html

  • 0 in reply to BeEf

    i update to latest version of 17.5   and still have packet loss after enable the second NAT rules , after disble some time the packet loss will remained on all subnets and i should reboot the firewall then it is fine.

    any idea ?!!

  • 0 in reply to behrad

    No. I'd suggest to open a ticket with the support.

Unfiltered HTML