Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 610 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

mr4 SNAT -> traffic is lost suddenly

BasSanders

Hi All,

As support is continuously failing to support us i am trying here.

We have a setup with a cluster of XG210's running 18.0 MR4. Since this implementation, we are regularly having issues with our customers PBX. Packets coming from the PBX towards the SIP provider arrive at the firewall, but then disappear into thin air.

PCAP's show only that the packet is received on the inbound interface. After that, no registration of the packet whatsoever (not in traffic log, session list etc). Also the policy-counters are not increasing anymore (which is logical as the packet doesn't seem to be processed.

The only solution so far is to do a failover to the aux firewall.. and then wait till it happens again (between 6 and 30 hours so far).

Some other PBXs in the exact same config work fine.

Sophos support is being pushed to the limits and provides us supreme attention by sending an email every two days asking if we still have the issue.. (facepalm..)

Anyone seeing similar issues?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    Hi, Firewall acceleration is currently enabled. We have discussed this with support, but according to them this isn't the issue. Actually, they told us to fiddle with udp timers..

  • 0 in reply to BasSanders

    I would give this a shoot. Try to disable and check if this issue still is there. 

  • 0 in reply to LuCar Toni

    As far as i remember that was done, but i gave it a try. Nevertheless, this all feels rather buggy. It's not the only weird behavior we have with mr4 (constant interruptions of GUI availability for ex).

  • 0 in reply to BasSanders

    Did you try drppkt host u.v.w.x to find discarded packets to host u.v.w.x?


    There is also a couple of other changes in the IDS that are supposed to help. Is IDS switched on?

    Have you installed 18.0 MR4 at the start or did you migrate from an older version (if yes which version?).

    We are facing these issuses since months with teams communication without really being able to resolve it. We had it at 17.5 migrating to 18

    MR-4 did not resolve it.

    Changing the UDP Session Timeout helped but sometimes issues still come up? We set the timeout to an even higher value that the support usually tells (500).


    I'd also try to disable the the acceleration a try (we did not so fare as they are telling us the same). As acceleration lead to a more direct way how the packets are processed under some circumstances I'd not really expect that things are getting worse WITH firewall accelaration.

    We are also running a cluster each fw connected to one of two "clustered" HP 5406v2 Switches.

  • 0 in reply to LuCar Toni

    Done, but issue remains.. So disabling firewall acceleration does not help.