Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 1896 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG with 2 external legs - shifting the GW for a client: reboot of XG required

GernotMeyer

Hi,

 

we have a Sophos XG with 2 external legs (DSL and Cable). SFOS is 17.5 - actual.

I am changing the GW for a FW rule to route IP phones through DSL (default is cable). I can see that all traffic is routed to DSL after this. So I reboot the IP phone. No connection to the external IP cloud any more.

This is changing after rebooting the XG. Connection is coming up.

Strange behavior. I could not reboot the firewall every time after changing one FW rule.

Bug?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    sounds a little strange, maybe a hardware fault? What sort of XG is it?

    An alternative to restarting the XG is to open the network interfaced save it without making changes while this issue is investigated. Also might be caused by the change of gateway and the XG not dropping the traffic connections through the original gateway until they time out. I am not sure how to overcome this unless you are using clienteles users, then you do the change of status without rebooting the XG.

    Ian

  • 0 in reply to rfcat_vk

    Sophos is XG85w

    I'll try next time. Thanks for this hint.

  • 0 in reply to GernotMeyer

    Hi,

    I tried without success. Updated the LAN Interface (on which the Telefones are connected).

    Rebooting the firewall is necessary!

  • 0 in reply to GernotMeyer

    Hi,

    very simply unless you are using user management changing gateways will not work without a reboot. The session does not drop unless the link fails or the user is disabled and then re-enabled. If you do this through the drop connections setting the only way to connect the user again is with an XG restart. 

    The XG maintains the connections through the old rule, so you would have to disable the rule to cause the connections to drop and re-establish when the new rule is activated.

    How long the timeout is I don't know so a forum mod will hopefully chime in with details.
    Ian

  • 0 in reply to rfcat_vk

    OK. Thanks for reply.

    I am astonished because the logfile shows that traffic is going via new GW the moment I pressing "apply" for that rule (shifting from GW 1 to GW2)!

    So logfile and reality are not the same?!

  • 0 in reply to rfcat_vk

    Hi rfcat and Gernot,

    If a connection is established through a gateway, the connecting is kept through interface persistence until it is terminated. For instance, if a SIP Phone were to establish a polling connection on 5060 with, say, Gamma Telecom and were to keep the TCP connection alive with regular refreshes, it would technically never switch back to the previous gateway. I do believe the timeout is 60 seconds on top of this but it is based on sticky session activity.

    The same goes for Firewall rules due to Fast Path Packet Routing (IIRC) so that's why on some occasions the traffic will still exist on an old rule but in some cases be shown differently in the log viewer. It is a very odd race condition.

    I'm going to be honest, the XG85s are an expensive paperweight in my eyes and any issues around them I immediately suspect the XG85 hardware capabilities before anything else. I normally recommend a minimum of an XG115 if you want to do anything more than basic firewall and packet routing then maybe you'll get away with a 105 but even then I still would not consider an 85.

    This is why I would veer also towards rfcats suggestion of hardware because i have seen this type of behaviour all the way up to a 750 but never as visible as the issue you have described and I have never had to reboot a firewall just to switch and push the connections around after a change. Except after the first time installation where sometimes firewall rule creation is just not referenced properly, reboot once and never again.

    Sorry about my harsh comments on the 85, but they really are bottom of the stack :(

    Emile

  • 0 in reply to Emile Belcourt

    Thanks for answer!

    To the first thing: Again: Looking on the Logfile it shows something different. Apply a rule and the logfile shows traffic get's routed through GW2 (any time).

    Switch back: Logfile also switches. So this whould mean: Logfile and Reality are not the same. Strange!

     

    To the second thing:

    It sounds like: never buy a 85...

    Looking at any performance counter: There is no indication for any performance trouble...

    But I will think about it.

  • 0 in reply to GernotMeyer

    Hi Gernot,

    Wait, depending on which rule is live it is showing the other gateway that has been configured as live, like completely in reverse (i.e. Rule 1 is meant to be GW1 but is showing GW2 and vice versa)?

    For basic firewall outgoing routing for a few machines, an XG85 will cut it but I always err on the side of caution. The 85 is so completely different from the rest of the product stack with storage etc that it's a relative unknown to me. That and it was only really created as an upgrade option for the really small Cyberoam boxes!

    It can serve a purpose, I just like a little bit more meat on my firewalls :P

    Emile

  • 0 in reply to Emile Belcourt

    I hope that no customer will ever read this post.

    I will substitute the XG85 with XG 115 and pray for better results.

    Keep you informed.

Reply Children