Can't ping outside WAN - Firewall-acceleration

Hello Ste,

this is definitely a bug.

We have the same issue on a XG550 after the migration from 17.5.12 to 18.0.4 MR-4.

The thing is not reproducable. We had it right after the migration on 9th of january. Then it vanished for some weeks and probably came back a couple of days ago.

Disabling the firewall-acceleration also helped in our case but we decided to leave the acceleration on as sophos support never told us to disable it and we wanted to find the root cause. This is diffcult as running tcpdump also will let the error go away.

We have another issue with UDP Packets and Teams Communication which might be related in some way. However this issue is older and we have seen it also on 17.5.x.

For me it looks like some packets are dropped under certain circumstances.

Regards
BeEf

Hi BeEf,

Have you opened a case with support for this issue? If not, please open a support case and PM me the case number. 

Thanks,

is there any chance to open a Bug and resolve it in the next update?

We cannot fix anything, which is not completely investigated. And as this issue seems to be hard to troubleshoot, it needs to be investigated further. 

Just to be sure: Ste & BeEf you are using HA? 

Yes I'm using HA. 

I would say that the customer buy a new cluster of XG 310 and now I've say him that sophos drop packet without reason and is hard to troubleshoot it. He is not really happy about and he want to breack down the new hardware with a big Hammer...

Just to be clear, there seems to be an issue - It will be investigated in your case ID, if you do not want to continue to have those (ICMP!) drops, disable the Firewall acceleration for this matter. 

I do not see any issue in this approach, you have a working workaround for the time while the issue is being identified. 

Yes I am using HA.

So far it is only seen by ICMP (tested mainly with Ping).
I already told H_Patel in a personal note some details which we opened indirectly via our consulting company after the migration.

For details you can ask your colleague Mr. Gunjan Bhatt.

BeEf and Ste,

The support team is investigating this issue with the internal ID NC-69286. Ste, we've updated your case with this internal ID; I will update this thread as more information becomes available. 

Thanks,

Thank you Patel for the update

Wondering: Which tool do you use to monitor those pings? Can this tool adjust the ICMP timeout? Maybe there are no drops, instead simple ICMP timeout (Latency) issues? 

Because i could eventually reproduce this with a tool and 500ms timeout, stable on 1000ms timeout. 

ping -t on windows 10 with default settings.  

I don't think so as this goes away when running tcpdump or switching off the fastpath. 

The default timeout is quite high (4s )and eg. google 8.8.8.8 responds very quickly ...

(Just an example.)

ping -t on windows 10 with default settings.  

I don't think so as this goes away when running tcpdump or switching off the fastpath. 

The default timeout is quite high (4s )and eg. google 8.8.8.8 responds very quickly ...

(Just an example.)