Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 4786 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TCP Retransmission / RST, ACK - Application Freezing

Carlos Cesario

Hello, 

We are having a stranger problem when accessing by VPN (IPSEC Site to Site) a web application. The WEB application when accessed by VPN stay loading Loading and freeze. After using Wireshark on this server that hosting the web application I could some retransmission events (image attached)

My troubleshooting steps until now:

- Create a DNAT rule on Head office and try access the same aplication by WAN address from Branch office, and the application it works as expected.

- Accessing this application over the same LAN (from Head Office)  it works as expected.

- Disable all IPS rules on Firewall Rules VPN-TO-VPN. Not effect, not working

- Change WEB application port on Hosting web server, not working

- Adding bypass stateful firewall rules on BO device and HO device the access it works as expected. (With This I supposed that there iare something on XG device that can be causing it)

All others access (SSH, CIFS, RDP, form BO to HO over this VPN it works)

Could someone has any tip for this ?

Regards

Carlos



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    Hi , thanks by reply.

    I appreciate the considerations.
    But only new information that make me believe that this problem is related to XG

    1 - The DNAT it works as expected, yes the DNAT is done by XG (WAN to Application).

    2 - The problem does not happen only with VPN, the problem happen with too with routing, in same device I have two network segments LAN (192.168.0.0/24) and other LAN Zone (192.168.2.0/24) each one connected in a physical port in XG device
    The same problem happen when users from LAN network 192.168.2.0/24 try access application that is running on 192.168.0.0/24
    I have tested replacing the XG device by Mikrotik (only to routing) and it works
    In XG device when creating bypass rules from network 192.168.0.0/24 to 192.168.2.0/24 and vice-versa it works


    3 - I have other similar scneario that was running V17 firmware and it was migrated to V18 and the similar behavior is happening.

    Anyway I created I pcap file to investigate.

    And I saw a lot of kind of this messages

    Any other tip for this!?

    Best regards

    Carlos

  • 0 in reply to Carlos Cesario

    Its a MTU Size issue. Try to smaller the MTU Size of your VPN Client to 1400 or something like that and retry this. 

  • 0

    Hi, even if you disable things in the rule or GUI, it will still check for things globally and you have to except the rule from that global IPS scanning

    Do the following (in classic non-advanced shell):

    set ips ac_atp exception fwrules <number of the firewall rule>

    And that should solve the problem.

    Bye!

  • 0 in reply to LuCar Toni

    Hello ,

    Even with changes the problem persists.

    The problem is was fixed as suggestion of

    set ips ac_atp exception fwrules <number of the firewall rule>

    I have tested the same configs with (SFOS 18.0.2 MR-2) and this problem does not happen. it seem anything with (SFOS 18.0.3 MR-3).

    Regards,

    Carlos

  • 0 in reply to Antonio Cienfuegos S

    Hi

    Thank by this tip. It fixed the problem, after apply it the rst/transmission does not happen.

    Regards

    Carlos