This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TCP Retransmission / RST, ACK - Application Freezing

Hello, 

We are having a stranger problem when accessing by VPN (IPSEC Site to Site) a web application. The WEB application when accessed by VPN stay loading Loading and freeze. After using Wireshark on this server that hosting the web application I could some retransmission events (image attached)

My troubleshooting steps until now:

- Create a DNAT rule on Head office and try access the same aplication by WAN address from Branch office, and the application it works as expected.

- Accessing this application over the same LAN (from Head Office)  it works as expected.

- Disable all IPS rules on Firewall Rules VPN-TO-VPN. Not effect, not working

- Change WEB application port on Hosting web server, not working

- Adding bypass stateful firewall rules on BO device and HO device the access it works as expected. (With This I supposed that there iare something on XG device that can be causing it)

All others access (SSH, CIFS, RDP, form BO to HO over this VPN it works)

Could someone has any tip for this ?

Regards

Carlos



This thread was automatically locked due to age.
Parents
  • Hello Carlos,

    Thank you for contacting the Sophos Community!

    Could you please try changing the MTU size in the IPsec tunnel for these subnets or hosts. Modify as per your network, also you don't need to add the whole subnet but have only one host.

    iptables -t mangle -I POSTROUTING -s 192.168.1.0/24 -d 10.10.0.0/22 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900;
    iptables -t mangle -I POSTROUTING -s 10.10.0.0/22 -d 192.168.1.0/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900;

    Are both sides of the IPsec XG?

    Can you confirm if all the packets are leaving the interface ipsec0?

    Are you running v18 or v17?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi ,

    I just applyed the iptables rules and disable bypass rules, and the problem happen.

    Answering your question about if the traffic pass by ipsec interface, no the traffic pass by xfrm interface, because the Ipsec Tunnel is type Tunnel mode..

    And other information, In these BO peers I have a transparent interface (layer 2) connected to HO, like a Point to Point  ... even using this interface I got the same problem.

    Regards

    Carlos

  • Hello Carlos,

    Thank you.

    Oh, I miss read the part about the bypass make it work, then the command wouldn't make too much of a difference.

    Do you see something in the Live Log, that might give us a clue?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello

    Yesterday, debbuging it with more details, I could see that when the application freeze, it is generated this event (captured by drppkt)

    But I believe that is a result of " TCP Reset Connections"  previous sent. You can see in this log a *R* flag .

    I re enable the by pass rule as workaround for it.

    DO you have any other tip ?

    Best regards

    Carlos

  • Likely a Application issue. 

    Those F/R Packets are dropped because they are duplicated. So the App or the client is closing the session. 

    __________________________________________________________________________________________________________________

  • Hi

    I believe that no, because with bypass rules, DNAT or access originated from same LAN there are no problem.

    Regards,

    Carlos

  • Hello Carlos,

    As Luca mentioned seems like it is the application/client closing the sessions. 

    I guess your next step if you want would do a pcap on the XG and then examine on Wireshark the pcap should be with and without the bypass.

    https://support.sophos.com/support/s/article/KB-000037007?language=en_US

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi ,

    But it does not make sense, because these events (close sessions) happen only when the traffic is filtred by Sophos.

    As I told, this does not happen when I access it by DNAT, same LAN or using bypass rules.

    But I will check pcap files generated by Sophos. 

    I have other similar case that it was migrated from v17 to v18 presenting a similar problem.

    Regards

    Carlos

  • There is something, the Client or the Server does not like about this connection. There could be multiple reasons for this. MTU Size, fragmentation etc. 

    If the packet is not the same, the application will close the connection. And you will see such errors in drop packet capture and logviewer (because the connection will be closed multiple times, thats sometimes normal, depending on the application). 

    You say, the DNAT works fine. Is the DNAT from XG (WAN to Application) ? Therefore the XG is allowing this? So the App is likely having some issues with the VPN Connection.  

    __________________________________________________________________________________________________________________

  • Hi , thanks by reply.

    I appreciate the considerations.
    But only new information that make me believe that this problem is related to XG

    1 - The DNAT it works as expected, yes the DNAT is done by XG (WAN to Application).

    2 - The problem does not happen only with VPN, the problem happen with too with routing, in same device I have two network segments LAN (192.168.0.0/24) and other LAN Zone (192.168.2.0/24) each one connected in a physical port in XG device
    The same problem happen when users from LAN network 192.168.2.0/24 try access application that is running on 192.168.0.0/24
    I have tested replacing the XG device by Mikrotik (only to routing) and it works
    In XG device when creating bypass rules from network 192.168.0.0/24 to 192.168.2.0/24 and vice-versa it works


    3 - I have other similar scneario that was running V17 firmware and it was migrated to V18 and the similar behavior is happening.

    Anyway I created I pcap file to investigate.

    And I saw a lot of kind of this messages

    Any other tip for this!?

    Best regards

    Carlos

Reply
  • Hi , thanks by reply.

    I appreciate the considerations.
    But only new information that make me believe that this problem is related to XG

    1 - The DNAT it works as expected, yes the DNAT is done by XG (WAN to Application).

    2 - The problem does not happen only with VPN, the problem happen with too with routing, in same device I have two network segments LAN (192.168.0.0/24) and other LAN Zone (192.168.2.0/24) each one connected in a physical port in XG device
    The same problem happen when users from LAN network 192.168.2.0/24 try access application that is running on 192.168.0.0/24
    I have tested replacing the XG device by Mikrotik (only to routing) and it works
    In XG device when creating bypass rules from network 192.168.0.0/24 to 192.168.2.0/24 and vice-versa it works


    3 - I have other similar scneario that was running V17 firmware and it was migrated to V18 and the similar behavior is happening.

    Anyway I created I pcap file to investigate.

    And I saw a lot of kind of this messages

    Any other tip for this!?

    Best regards

    Carlos

Children