Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 32 subscribers
  • Views 3303 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone experiencing issues on XG's (SFOS 17.5.0 GA) with internet access and what looks to be possible DNS resolution failures.

Michael Coyle

Hi Everyone..   Looking for feedback if anyone else is seeing possible issues with new installs of XG's running 17.5

We've recently installed a number of  XG230 (SFOS 17.5.0 GA) at various clients and they are ALL having a similar issues with what looks to be DNS resolution. 

The XG's have had IPS /Heartbeat / ATP all turned off to test - rules enabled for LAN any to WAN any etc and all policies off (to test)..  So it should have nothing stopping / scanning traffic in or out - but the issue still happens.

It basically looks like a random drop but it's affecting most users at the same time - if they have outlook running on 365 open then that connection will also drop, FTP, etc basically anything that relies on an external connection will stop for a short period (10-20secs). 

The client sites have internal DNS servers that are fully functional and not logging any issues. 

You still appear to be able to ping an external IP when the drops happen.  There is no indication of issues with ISP or lines. 

Sophos have been looking at it for the last couple of weeks.. 

 



This thread was automatically locked due to age.
Parents
  • 0

    Do you happen to have any IPS policies configured on the rules for those DNS servers?

    I found that DNS resolution was crap at best when the standard LAN to WAN IPS policy was applied, I recreated a new IPS policy for Windows DNS Servers in my case which reduced the policies applied drastically.

     

    I have a single rule for all DNS servers with NAT and this customer IPS rule configured and all the drops and resolution issues are gone for me.

     

     

    Update

    Heres some more details, hopefully, will help you resolve your issue.

    I'm also in the following version (SFOS 17.5.0 GA) - had issues with DNS at the start until I diagnosed it as being the LAN-WAN IPS policy

     

    1. DNS LAN-WAN Rule for Domain Controller

    2. Results from DNS test with the standard LAN-WAN IPS Policy.

    3. New IPS Policy

    4. Results since applying the new IPS Policy to the DNS Firewall Rule

     

    Unsure if its something to do with the number of rules being processed or if it is one of the rules that is causing the problem but this fixed it for me.

Reply
  • 0

    Do you happen to have any IPS policies configured on the rules for those DNS servers?

    I found that DNS resolution was crap at best when the standard LAN to WAN IPS policy was applied, I recreated a new IPS policy for Windows DNS Servers in my case which reduced the policies applied drastically.

     

    I have a single rule for all DNS servers with NAT and this customer IPS rule configured and all the drops and resolution issues are gone for me.

     

     

    Update

    Heres some more details, hopefully, will help you resolve your issue.

    I'm also in the following version (SFOS 17.5.0 GA) - had issues with DNS at the start until I diagnosed it as being the LAN-WAN IPS policy

     

    1. DNS LAN-WAN Rule for Domain Controller

    2. Results from DNS test with the standard LAN-WAN IPS Policy.

    3. New IPS Policy

    4. Results since applying the new IPS Policy to the DNS Firewall Rule

     

    Unsure if its something to do with the number of rules being processed or if it is one of the rules that is causing the problem but this fixed it for me.

Children
  • 0 in reply to nplm85

    The issue is more than likely you are using different DNS for the XG from your internal server and the DNS entry update to the XG is timing out. You need to make sure that the XG and the internal DNS are using the same source at the same time for lookups. If the two devices get out of synch, the XG will see the DNS responses from the firewall rule as being attacks and block them which is what you are seeing.

    The XG does have a DNS proxy.

    Also did you check the IPS DOS settings to see if any traffic is being blocked by them.

    Ian