Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 7157 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection issue with network share

Christoph Bütler

Hi

We have two XG230 in a-p mode. Clients an servers are in different networks. Policies which allow the traffic don't have any security features activated. The clients have different network shares which get connected on windows login. 

The customer is now complaining that it takes a long time (up to 30 secconds) for opening a share. Once a share is open browsing is fine but from time to time windows explorer freezes while changing shares. 

As a first approach we configured one client into to server VLAN and this client is now working without any issues. Now we have to look for the solution on the firewall side. 

One thing we can see is that we have a lot of invalid traffic with the message "Could not associate packet to any connection." for connections to the servers with the shares on it. 

We already did some research an there are some posts about increasing the "Tcp Connection Establishment Idle Timeout". We have still the default settings in place 10800 seconds (3hrs). Could this be the issue? We don't have these interruptions every 3hrs.

We are running on SFOS 17.0.6 MR-6

Thanks for any advice

Christoph



This thread was automatically locked due to age.
Parents
  • 0

    What services did you exactly allow from Client to Server Networks? Can you make sure, you allowed SMB445 and NetBIOS?

    How are the Clients managing the DNS Requests? Who is configured to be their DNS Server?

  • 0 in reply to HuberChristian

    Since we are having troubles we decided not to restrict any services.

    DNS request are handled by two internal dns server - again in an other subnet. 

    We have subnet A with the clients, subnet B with the DNS servers and subnet C with the network shares. 

    Firewall rules look like this:

    A to B any

    A to C any

    C to B any

  • 0 in reply to Christoph Bütler

    Hi,

    perform a tcpdump on shell and take a look, what is going on.

    https://community.sophos.com/kb/en-us/123567

     

    While tcpdump with the host ips of both (client + server) you should open the share. 

  • 0 in reply to LuCar Toni

    I'm now waiting for user which is complaining for a trace. I already did a trace with the whole client subnet and the server as filter. One thing I can see is that we have a lot of "ethertype Unknown" (0x0bcc) and (0x0a46).

    0bcc = 3020 and 0a46 = 2630 

    The server is in de VLAN3020 and the clients in VLAN2630

    VLAN3020 is configured on port7 as Port7.3020 (with other VLANs)
    VLAN2630 is configured on port8 as Port8.2630 (with other VLANs)

    These ports are attached to a switch with ports configured as trunk.

    tcpdump looks like this

    11:33:17.313208 Port7, OUT: Out 00:e0:20:11:0a:33 ethertype Unknown (0x0bcc), length 60:
    0x0000: 0000 0800 4500 0028 277a 4000 7f06 49e2 ....E..('z@...I.
    0x0010: ac1a 1e38 ac1e 1403 c386 01bd b18a f4cd ...8............
    0x0020: 553a b10d 5010 08c2 aaba 0000 U:..P.......
    11:33:47.286007 Port8, IN: In 14:b3:1f:10:f1:60 ethertype Unknown (0x0a46), length 66:
    0x0000: 0000 0800 4500 0029 277b 4000 8006 48e0 ....E..)'{@...H.
    0x0010: ac1a 1e38 ac1e 1403 c386 01bd b18a f4cc ...8............
    0x0020: 553a b10d 5010 08c2 aaba 0000 0000 0000 U:..P...........
    0x0030: 0000 ..

    Could this be an issue? What does this mean?

     

Reply
  • 0 in reply to LuCar Toni

    I'm now waiting for user which is complaining for a trace. I already did a trace with the whole client subnet and the server as filter. One thing I can see is that we have a lot of "ethertype Unknown" (0x0bcc) and (0x0a46).

    0bcc = 3020 and 0a46 = 2630 

    The server is in de VLAN3020 and the clients in VLAN2630

    VLAN3020 is configured on port7 as Port7.3020 (with other VLANs)
    VLAN2630 is configured on port8 as Port8.2630 (with other VLANs)

    These ports are attached to a switch with ports configured as trunk.

    tcpdump looks like this

    11:33:17.313208 Port7, OUT: Out 00:e0:20:11:0a:33 ethertype Unknown (0x0bcc), length 60:
    0x0000: 0000 0800 4500 0028 277a 4000 7f06 49e2 ....E..('z@...I.
    0x0010: ac1a 1e38 ac1e 1403 c386 01bd b18a f4cd ...8............
    0x0020: 553a b10d 5010 08c2 aaba 0000 U:..P.......
    11:33:47.286007 Port8, IN: In 14:b3:1f:10:f1:60 ethertype Unknown (0x0a46), length 66:
    0x0000: 0000 0800 4500 0029 277b 4000 8006 48e0 ....E..)'{@...H.
    0x0010: ac1a 1e38 ac1e 1403 c386 01bd b18a f4cc ...8............
    0x0020: 553a b10d 5010 08c2 aaba 0000 0000 0000 U:..P...........
    0x0030: 0000 ..

    Could this be an issue? What does this mean?

     

Children
  • 0 in reply to Christoph Bütler

    Hi,

    my mistake - please use the advanced Shell (Option 5 - 3) and use:

    tcpdump -ni any host Client_IP and host Server_IP

    Those packets are the ethernet packets, which are quite normal. 

  • 0 in reply to LuCar Toni

    In the policy between the clients and network shares was NAT active. This was due to special circumstances. Now we deactivated NAT and the performance has improved. 

    But what we see is that PING response time isn't stable. It constantly changes from <1ms up to 26ms if we PING from a device in an other subnet to the server with the shares. PING to the corresponding gateways is <1ms or =1ms. 

     

  • 0 in reply to Christoph Bütler

    26 ms sounds like a WAN connection. Is something between those devices which could cause such a delay? 

    Can you ping from XG to both devices? 

  • 0 in reply to LuCar Toni

    From the XG to the server we got this:

    round-trip min/avg/max = 0.117/0.301/14.806 ms (3674 packets)

    From the XG to the client we got this:

    round-trip min/avg/max = 0.149/0.261/4.141 ms (3675 packets)

    From the XG to the server and to the client we have two switches in between.

    But I think ping is not a proper way to test the performance? Please correct me if I'm wrong. We just did a couple of "iperfs" between this two machines and we can say that the speed is at 1Gig. 

    Customer has confirmed that performance has improved since we disabled the NAT but Windows Explorer still hangs from time to time. We are now tracing (tcpdump -ni any host CLIENT and net SERVER-WITH-SHARES) all traffic from one client which is constantly complaining and I will post an update as soon as we have an new case.

    Thanks for your help so far
    Christoph

  • 0 in reply to Christoph Bütler

    Hi 

    We analysed the traffic from tcpdump with the support. Nothing special. 

    Further investigations with the clients showed that this behaviore just happens when opening Windows Explorer. As soon as Explorer is open everything works just fine. Now we are looking into DNS with the server people since we found some missconfiguration on the DNS site.

     

    Conclusion: firewall is fine, we had two problems

    1. NAT activated (missconfiguration)

    2. DNS (coming from another system)

     

    Regards

    Christoph