This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic inspection bug relay_invalid_traffic

Is this bug going to be fixed, or it has become a feature with a workaround?

Workaround

https://support.sophos.com/support/s/article/KB-000035989?language=en_US&c__displayLanguage=en_US#How-to-Enable-relay_invalid_traffic

BUG reason="HTTP parsing error encountered."

https://community.sophos.com/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/117316/bug---ssl-tls-inspection-seems-to-break-honeywell-smart-devices

BUG reason="HTTP pipelined request encountered."

https://community.sophos.com/xg-firewall/f/discussions/119219/bug-web-filter-blocking-random-categories

This thread was automatically locked due to age.

Top Replies

Michael Dunn over 5 years ago in reply to LuCar Toni +3

As LuCar has said, HTTP Pipeline is not supported in DPI mode.

As posted in the EAP threads you mention, but let me clarify.

The HTTP Pipeline error was appearing for some non-pipeline reasons in EAP, which we think are all resolved in GA.

The only HTTP Pipeline errors that we know about are "real" pipelines such as some netflix hardware. The solution it to configure that traffic only to go through the traditional web proxy.

If you are getting the error for specific traffic only then it is likely real a pipeline error, and you should configure it so that traffic goes through the proxy.

If you are getting that error all over the place (like your screenshot during EAP) you may have another problem that is something to do with your network topology, your configuration, or a fault on your box. Given that we are not getting any support calls about this, it is unlikely (but certainly possible) this is a bug, or if it is one it is only in certain uncommon setups.

For example, HTTP pipeline was supported (but disabled) in FireFox and then removed in 2017. Its removed from Chrome as well, not sure when. However if you are using an old browser that still supports it, and enabled pipelining for it, then you may be experiencing HTTP pipeline errors all over the place. At that point the solution is to update/reconfigure your browser/app/whatever is doing that.

If you are getting that error all over the place and you have Sophos Support, please raise a ticket with them.
If you are getting that error all over the place and you don't have Sophos Support, there is not much I can suggest. Maybe install another box, see if it happens there as well.

Jump to answer

Parents

0 l0rdraiden over 5 years ago

This is still an issue there are too many services using http pipelined connections to ignore it.

Official Sophos response, http pipelined is not an issue and is not supported because nobody uses it.

Now microsoft joins to netflix and many other companies that are already using it. Maybe someday Sophos XG will block windows updates and still won't be an issue.
Cancel
Vote Up +1 Vote Down

Cancel
0 l0rdraiden over 5 years ago in reply to l0rdraiden

More legitimate traffic blocked
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 l0rdraiden over 5 years ago in reply to l0rdraiden

More legitimate traffic blocked
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Michael Dunn over 5 years ago in reply to l0rdraiden

core_memory and IOraiden,

As has been asked before - please contact support and have them escalate until it gets to devs so we can investigate your boxes.

Complaining more on the forum does nothing because we cannot reproduce the problem.
Cancel
Vote Up 0 Vote Down

Cancel
0 l0rdraiden over 5 years ago in reply to Michael Dunn

this can be reproduced but since these are http pipeline requests they say that is not supported by the DPI mode.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to l0rdraiden

Actually i cannot find any application within my appliances and my peer appliances, which have http pipeline requests beside netflix.

None of my own appliances with DPI enabled and Office365/Teams etc. uses http pipeline.

My question would be, which application within the microsoft world is causing this?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 l0rdraiden over 5 years ago in reply to LuCar Toni

I have no Idea, I have normal Windows 10 Pro machines with office 2019.

I guess they will fix it or do something about, but I guess if any customer complains about this the workaround would be to create a proxy rules for those clients, and the it won't even be a priority for Sophos to solve.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User1323 over 5 years ago in reply to l0rdraiden

Another option would be to create a Firewall rule for the destinations, using FQDN host objects, that uses the proxy instead of DPI mode. This would be more targeted that just using the proxy for all traffic from those clients.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Sophos User1323

But, that doesn't work in IPv6 firewall rules.

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 core_memory over 5 years ago in reply to Michael Dunn

I think it makes sense to share in this forum that using DPI mode causes this problem. I also learned about this issue in this forum. If we share the case, we may find some hints to reproduce this issue.

I can't contact support.

I am using the virtual version on VMware ESXi 7.0U1.
Cancel
Vote Up 0 Vote Down

Cancel