Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 4787 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TCP Retransmission / RST, ACK - Application Freezing

Carlos Cesario

Hello, 

We are having a stranger problem when accessing by VPN (IPSEC Site to Site) a web application. The WEB application when accessed by VPN stay loading Loading and freeze. After using Wireshark on this server that hosting the web application I could some retransmission events (image attached)

My troubleshooting steps until now:

- Create a DNAT rule on Head office and try access the same aplication by WAN address from Branch office, and the application it works as expected.

- Accessing this application over the same LAN (from Head Office)  it works as expected.

- Disable all IPS rules on Firewall Rules VPN-TO-VPN. Not effect, not working

- Change WEB application port on Hosting web server, not working

- Adding bypass stateful firewall rules on BO device and HO device the access it works as expected. (With This I supposed that there iare something on XG device that can be causing it)

All others access (SSH, CIFS, RDP, form BO to HO over this VPN it works)

Could someone has any tip for this ?

Regards

Carlos



This thread was automatically locked due to age.
Parents
  • 0

    Hello Carlos,

    Thank you for contacting the Sophos Community!

    Could you please try changing the MTU size in the IPsec tunnel for these subnets or hosts. Modify as per your network, also you don't need to add the whole subnet but have only one host.

    iptables -t mangle -I POSTROUTING -s 192.168.1.0/24 -d 10.10.0.0/22 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900;
    iptables -t mangle -I POSTROUTING -s 10.10.0.0/22 -d 192.168.1.0/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900;

    Are both sides of the IPsec XG?

    Can you confirm if all the packets are leaving the interface ipsec0?

    Are you running v18 or v17?

    Regards,

  • 0 in reply to emmosophos

    Hello ,

    Thank you by your reply.

    I will add the iptables rules as bypass stateful firewall rules  and remove the bypass rules

    Yes, all sides are XG devices running SFOS 18.0.3 MR-3  (1 HO and 4 BO peers) - All BO peers present the same problem

    After apply the MTU changes I will report the results

    Thank you

    Regards

    Carlos

Reply
  • 0 in reply to emmosophos

    Hello ,

    Thank you by your reply.

    I will add the iptables rules as bypass stateful firewall rules  and remove the bypass rules

    Yes, all sides are XG devices running SFOS 18.0.3 MR-3  (1 HO and 4 BO peers) - All BO peers present the same problem

    After apply the MTU changes I will report the results

    Thank you

    Regards

    Carlos

Children
No Data