Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 27 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 21960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Specific sites slow after upgrade to 17.5.8 MR8

Josh Rogalski

We have a Sophos XG 450 rev2.  About a week and a half ago we updated to 17.5.8 MR8 and since then certain web apps we use have been experiencing intermittent slowness.  Didn't notice it until after the update but can't guarantee it is related.  I opened a case with Sophos support but they are having trouble pin pointing the issue.  Issue seems to happen specifically to web apps where you login, or where you submit or read data from a database (Sophos support portal had the issue for example when submitting the ticket).

 

Curious if anyone else with a XG 450 on the same version has seen this issue.  Tried rebooting, also tried shutting off certain services like IPS/IDS but didn't seem to help at all. Affecting our students greatly, while support investigates, does anyone have any suggestions?



This thread was automatically locked due to age.
  • 0 in reply to Josh Rogalski

    Josh,

    how many times did you run service awarrenhttp:debug -ds nosync?

    If you run the first time, the debug is enabled. If you run it again, you disable the debug.

    Regards

  • 0 in reply to lferrara

    I found out you can check if it is in debug by using "service -S" (it shows the state of services).  It was debugging.  I feel as though I was missing something.  We downgraded the firmware back to MR7 but the issue is the exact same.  It is affecting us pretty badly.  Could you suggest which of the commands above I should run?  Since the sites we use have dozens of ip addresses I pretty much have to use URL.  Any assistance is appreciated.

  • 0 in reply to Josh Rogalski

    Here what I typed:

     

    SFVH_SO01_SFOS 18.0.0 EAP1# tail -f /log/awarrenhttp_access.log | grep "alma*"
    1571773080.738165112 [ 7049/0x7fd3d0126400] fwid=1 fwflag="VS" iap=12 aap=4 conn_id=1014323456 id="0001" name="http access" action="pass" method="GET" srcip="192.168.0.8" dstip="216.147.212.92" user="" statuscode=200 cached=0 trxlen=814 rxlen=2698 url="suny-cay.alma.exlibrisgroup.com/.../login" referer="community.sophos.com/.../specific-sites-slow-after-upgrade-to-17-5-8-mr8" type="text/html" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=326 avscantime=9271 fullreqtime=268487 ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:69.0) Gecko/20100101 Firefox/69.0" activity="" av_transaction_id="" categoryname="Information Technology" category="29" app_id=0 app_name="None" app_cat="None"  exceptions=""
    1571773081.056630954 [ 7049/0x7fd3d0126400] fwid=1 fwflag="VS" iap=12 aap=4 conn_id=1014323456 id="0001" name="http access" action="pass" method="GET" srcip="192.168.0.8" dstip="216.147.212.92" user="" statuscode=302 cached=0 trxlen=673 rxlen=347 url="suny-cay.alma.exlibrisgroup.com/.../report referer="suny-cay.alma.exlibrisgroup.com/.../login" type="" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=477 avscantime=0 fullreqtime=193902 ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:69.0) Gecko/20100101 Firefox/69.0" activity="" av_transaction_id="" categoryname="Information Technology" category="29" app_id=0 app_name="None" app_cat="None"  exceptions=""
    1571773082.036233733 [ 7048/0x7fd3cd8ecc00] fwid=1 fwflag="VS" iap=12 aap=4 conn_id=1265035456 id="0001" name="http access" action="pass" method="GET" srcip="192.168.0.8" dstip="216.147.212.84" user="" statuscode=200 cached=0 trxlen=561 rxlen=5838 url="analytics-na02.alma.exlibrisgroup.com/.../saw.dll referer="suny-cay.alma.exlibrisgroup.com/.../login" type="text/html" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=7 cattime=352 avscantime=9438 fullreqtime=218401 ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:69.0) Gecko/20100101 Firefox/69.0" activity="" av_transaction_id="" categoryname="Information Technology" category="29" app_id=0 app_name="None" app_cat="None"  exceptions=""


    In my case, the url opens quick.

  • 0 in reply to lferrara

    Check that AV and IPS patterns are up to date.

    Thanks

  • 0 in reply to lferrara

    Again I got odd results.  None of the items listed were from the IP address I was navigating the site with.  I got the following:

     

     

     

    XG450_WP02_SFOS 17.5.7 MR-7# tail -f /log/awarrenhttp_access.log | grep "alma*"
    1571776586.194937818 [ 4706/0x7f9ca5c98400] fwid=3 fwflag="V" iap=0 aap=5 conn_id=2088604392 id="0001" name="http access" action="pass" method="POST" srcip="150.155.160.150" dstip="204.154.111.133" user="" statuscode=200 cached=0 trxlen=1209 rxlen=385 url="tps10234.doubleverify.com/event.png referer="http://ads.mopub.com/" type="image/png" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=105600 cattime=101 avscantime=822 fullreqtime=148111 ua="Mozilla/5.0 (Linux; Android 9; moto g(6) Build/PDS29.118-15-11; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/77.0.3865.116 Mobile Safari/537.36" activity="" av_transaction_id="" categoryname="General Business" category="6" app_id=0 app_name="None" app_cat="None"  exceptions="" sandbox="off"
    1571776588.920528039 [ 4708/0x7f9cafe5e000] fwid=3 fwflag="V" iap=0 aap=5 conn_id=196586672 id="0001" name="http access" action="pass" method="POST" srcip="150.155.160.150" dstip="204.154.111.130" user="" statuscode=200 cached=0 trxlen=1303 rxlen=385 url="tps10214.doubleverify.com/event.png referer="http://ads.mopub.com/" type="image/png" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=18568 cattime=91 avscantime=832 fullreqtime=59653 ua="Mozilla/5.0 (Linux; Android 9; moto g(6) Build/PDS29.118-15-11; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/77.0.3865.116 Mobile Safari/537.36" activity="" av_transaction_id="" categoryname="General Business" category="6" app_id=0 app_name="None" app_cat="None"  exceptions="" sandbox="off"
    1571776641.949811440 [ 4709/0x7f9ca483a000] fwid=4 fwflag="V" iap=0 aap=5 conn_id=1939162408 id="0001" name="http access" action="pass" method="POST" srcip="150.155.13.232" dstip="204.154.111.130" user="mprober@student.ccc.lan" statuscode=200 cached=0 trxlen=941 rxlen=393 url="tps10253.doubleverify.com/event.png referer="http://www.citethisforme.com/" type="image/png" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=86 avscantime=782 fullreqtime=22247 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" activity="" av_transaction_id="" categoryname="General Business" category="6" app_id=0 app_name="None" app_cat="None"  exceptions="" sandbox="off"

  • 0 in reply to Josh Rogalski

    Dnstime is too high. Change dns to something else. Try XG as dns and change the dns servers used on XG also to something else. Check with your isp the dns servers to use. Regards

  • 0

    I realize this has been quite some time since I replied back, but wanted to share what we found in case anyone else comes across this.  After some work with the Community and with support we discovered that almost all of our Firewall rules were set with the Primary Gateway being "WAN Link load balance".  I noticed that if I changed this setting to be the gateway for the WAN port instead the problem vanished instantly.  It appears that we were trying to load balance our connections even though we only had one outbound gateway.  It was like it was load balancing between the outbound and inbound gateways. 

    If you find yourself with connections that sometimes work and sometimes don't, especially in stateful web apps I would check your "Primary Gateway" setting and make sure it isn't WAN link load balancer, unless you are doing multiple WAN links.  *(This setting exists in the actual firewall rule in version 17 but I think has been put into it's own section in version 18)

     

Cookie Information Banner