This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Gateway 1 - Main ISP keeps getting disconnected, unable to find logs

Hi All,

I would like to seek your assistance regarding our issue.

We have DUAL WAN setup ISP#1 and ISP#2.

Since Thursday, ISP#1 keeps getting disconnected every several hours and it will stay disconnected for 15mins to 20mins.

The problem here is that even though we have a Failover, we still have several Webservers that are not setup for Failover.

So during the ISP#1 downtime, we lost connectivity to several webservers.

I have confirmed that during the 15-20mins downtime, the Internet is still flowing in the Mikrotik Router (ISP#1 router).

I am 100% sure that there is internet in the Mikrotik Router in the duration of the downtime in Sophos.

As I cannot find any meaningful errors in the Sophos logs, I replaced the Ethernet cables from ONT to Mikrotik Router, from Mikrotik to Sophos, and from Sophos to Switch.

I also upgraded to the latest SFOS 17.5.12 MR-12.HF052220.1 yesterday.

However, this morning, the issue started happening again.

Is there a way to find any meaningful error besides the dgd.log?

I called Sophos Support and spent 2 days chasing Support and a total of 3 hours call but Escalation Engineer told me its an ISP Issue.

I am 100% confirmed that it is NOT an ISP issue as everything is working well in the Mikrotik Router every time ISP#1 went down in Sophos.

If you could just point me to the right direction or logs as to determine what could be causing the problem, I will very much appreciate it.

Thank you.

This thread was automatically locked due to age.

Parents

0 emmosophos over 5 years ago

Hello Sophos User1499,

Would it be possible for you to share the Case ID.

How are you checking that when the internet goes down on #ISP1 you still have internet connectivity? Have you tried to connect the WAN port that goes to the ISP#1 to a computer when the issue is happening and run a Ping test?

I take you have changed the Failover rule to ping an IP address beyond the IP of the ISP router?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User1499 over 5 years ago in reply to emmosophos

@emmosophos,

I can confirm that the Internet is working on ISP#1.

I have taken out Sophos Firewall and the internet is working directly from the Mikrotik Router which is the ISP#1.

Also, from the 6 disconnects yesterday, I found out that there is a 20minute window that Sophos keeps showing that ISP#1 is down from GUI and CLI but when I checked the Public IP on all my devices, it is still getting ISP#1 IP Address. But most of the time, when ISP#1 is showing as down, it will failover to ISP#2, leaving my webservers on ISP#1 down.

I have told all this to Sophos Escalation Engineer but he keeps insisting that it is an ISP issue which clearly it is NOT an ISP issue.

I just want to know where to read more meaningful logs to understand why Sophos Firewall keeps disconnecting ISP#1.

Case#: 9927707
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Sophos User1499 over 5 years ago in reply to emmosophos

@emmosophos,

I can confirm that the Internet is working on ISP#1.

I have taken out Sophos Firewall and the internet is working directly from the Mikrotik Router which is the ISP#1.

Also, from the 6 disconnects yesterday, I found out that there is a 20minute window that Sophos keeps showing that ISP#1 is down from GUI and CLI but when I checked the Public IP on all my devices, it is still getting ISP#1 IP Address. But most of the time, when ISP#1 is showing as down, it will failover to ISP#2, leaving my webservers on ISP#1 down.

I have told all this to Sophos Escalation Engineer but he keeps insisting that it is an ISP issue which clearly it is NOT an ISP issue.

I just want to know where to read more meaningful logs to understand why Sophos Firewall keeps disconnecting ISP#1.

Case#: 9927707
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rfcat_vk over 5 years ago in reply to Sophos User1499

Hi,

what are the settings in the Mikrotik DHCP server?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User1499 over 5 years ago in reply to rfcat_vk

Hi ian

The Mikrotik is not setup as a DHCP server. The issue only started last Thursday and the DUAL WAN has been setup for more than a year now.

I have 5 Static WAN IP Address setup on the Mikrotik Router, All WAN IP is working from the Mikrotik Router to all other devices except for the Sophos Firewall.

The WAN IP Address assigned to the Sophos Firewall is confirmed working on the Mikrotik Router when Sophos Firewall is showing as disconnected.

The DUAL WAN failover is previously setup to ping 8.8.8.8 and I have added to ping the ISP#1 DNS Address today but I still get the 20minutes disconnect after several hours.

I am hoping to find any meaningful logs so I can properly start to troubleshoot the issue as I have already physically isolated the issue to be on the Sophos side.

However, I have yet to find anything at all.

Thank you for your reply. I really appreciate it.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Sophos User1499

Hi,

I gave up on 8.8.8.8 as test site being not reliable. Also the XG does not automatically reconnect if it senses a link failure, this in an ongoing issue.

My experience.

ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User1499 over 5 years ago in reply to rfcat_vk

ian

Thanks again for your reply.

I have already removed 8.8.8.8 and changed it to the ISP DNS Address but after 3 hours, the disconnect happens again.

I am stumped as to where could I possibly find any other logs in the Sophos Firewall.

In dgd.log, it only shows "Failed, Retrying(4) Ping : 123.100.x.x"

Thank you.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Sophos User1499

Hi,

Next trick to try is edit and save the offending interface without changing anything. See how long that stays up for.

Also what are the CPU.memory and load like?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User1499 over 5 years ago in reply to rfcat_vk

rfcat_vk

Disk Usage is 22% Used Only

CPU Usage IDLE is at 95.53%

Thanks for the mention of the trick, I will try this and see how long it stays up.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User1499 over 5 years ago in reply to Sophos User1499

rfcat_vk

I did the edit and save without any changes on both ISP1 and failover settings.

ISP1 just went down again just now.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Sophos User1499

Hi,

that CPU usage is that about 5% free?

What does TOP how as to what is hogging CPU?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User1499 over 5 years ago in reply to rfcat_vk

rfcat_vk

I meant, CPU IDLE 95%, so only 5% is currently used over this weekend.

I generated a 48-hour report. So even with only 5% use on the CPU, I still experienced several disconnects.

Without proper logs in Sophos Firewall, I am troubleshooting based on isolation only.

I can confirm that when Sophos is showing ISP1 as disconnected, I can still ping the Sophos Public IP from outside network.

I have now used a different PORT interface in the Sophos Firewall for ISP1 and recreated all Firewall Policies pointing to the new port interface for ISP1.

However, I still experience the disconnect.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Sophos User1499

Hi,

the issue will be with the ping and XG not seeing the ping response and as a result it thinks the link is down when in reality there is nothing wrong with the link.

I haven't configured a fail over even though it is almost mandatory and you have to convince it not to activate on failure.

Ian
Cancel
Vote Up 0 Vote Down

Cancel