SFOS 17.1.2 MR-2 . Really?

Hi,

there is something wrong with your configuration, maybe? Why are the packets being dropped? Are any applications failing to connect or keep connected?

please post a screenshot of your rule that https enabled?

Ian

Do we talk about the invalid packet drops? Those are harmless.

community.sophos.com/.../131754

sorry folks.

Let me clearly explain. 

I have not made any modifications to my policy after the upgrade. Everything theoretically should work as it was working in the previous release. 

What I am experiencing now almost all the time on either large downloads, streams, etc. I'm seeing alot of RST packets and the connection either times out or the streams (youtube) disconnects and has to reconnect.

This experience was not happening in the previous release. so to check my sanity I rolled back the upgrade and magically the connection was stable.

Keep in mind this only occurs with either large downloads and/or when streaming. 

So this isn't a deal breaker except for last night when I was watching a conference and the connection kept timing out.

CPU is under 4%. 

Memory is at 18-20% give or take.

So I do not think this is a hardware issue as rolling back immediately fixed the problem.

If someone has a link that shows all the changes in the new release that would be very helpful. Im guessing something has changed in how the firewall is now processing packets and/or handling large request. I sure hope Sophos has not implemented a technology like SecureXL which CheckPoint uses. 

Thanks for all responses.

Hey BobbyDigital 

The recent release notes can be found here in our blog. Have you already raised a support case for this issue? If so, please PM me with your ID for follow up.

Thanks,

I have not raised a case. 

I just rolled back the upgrade which of course resolved the problem.

I will just wait for the next release in hopes its more stable for my environment.

Again, I haven't changed anything from a policy perspective.

Thanks for all responses and assistance.

Currently i could not guess why this happen without a live system to check. There are no real changes in the firewall handling or proxy handling which causes such an issue. And as far as i can see, i cannot reproduce this kind of issues with my appliances. 

I can second the response already - I have the latest firmware and 200+ live users hanging off it.

They can stream YouTube or Skype Conferencing etc without interruption. I don't think its a Firmware issue.

Maybe IPS?

I can second the response already - I have the latest firmware and 200+ live users hanging off it.

They can stream YouTube or Skype Conferencing etc without interruption. I don't think its a Firmware issue.

Maybe IPS?

im going to create a bypass rule and see if that helps. the only reason why i'm skeptical is because rolling back immediately fixed the issue. I will upgrade again, create a bypass rule for IDS and report my findings and results.

Again, thanks for all responses.

Did you have any luck with this?

Bypass rule helped. But the issue remains. I haven't tried disabling IPS. 

Only reason why i'm so skeptical to disable IPS and others is because rolling back to the previous firmware results in the issue going away. 

I will disable the IPS for testing purposes and report back.

Again, thanks for all responses

hello,

I took packet captures but I am unable to upload them here. is their a size limit on the upload? if so what is the limit. I can truncate the captures down.

Thanks for All Replies

Hello,

I believe I found the issue. upon reviewing the packet captures I am seeing "TCP OUT OF ORDER" packets which appear to be resulting in TCP Re-transmission. i time stamped the packet captures with the time the issue occurred and the only thing that stood out was this.

Again, this only occurs when connected to the Sophos firewall. I'm just curious as to why without any changes to my firewall this started happening after the software update.

If needed I can upload the packet captures.

Again, thanks for all responses.

Hi BobbyDigital 

I'm currently investigating this issue with our support team. Would it be possible to please raise a support case including this packet capture you gathered, and sending me a PM with your case ID for follow up?

Thanks,