Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 28 replies
  • Subscribers 27 subscribers
  • Views 1407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG135 web problems only on two laptops

Stefano Sorrentino

Dear all,

someone can help me to understand what i missed?

The whole company is working fine, but, i was working on two new laptop and only this two didn´t reach some internet websites (youtube, spotify, soundcloud and similar),

At the beginning, as also you can notice from the tipology of the websites, sound like a web filter problem, but also with a specific rule on the firewall with the webfilter "allow all" i have the same problem.

on the logs i have, randomly, this:

but on the config the Spoof control is deactivated.

as config i have two XG135 in HA config with the (SFOS 18.0.4 MR-4)

Some one have some tip?



This thread was automatically locked due to age.
  • 0

    Hey there Stefano, 

    I guess the 30.1 is your Sophos right?  From the look of it - it seems like the source ip is being spoofed ie: Another device on your network might be configured with the 30.1 IP address?  If that's the case, even with spoof protection disabled, I don't think the sophos will like having another device pretending it's the sophos on the network...  You can also use a packet capture to see the source mac address..

    Also, if it is web filtering, open the logs and check in the web filter logs.  You should see something blocked there if it is indeed the Web Filter.  Also, check if you have applied an App policy to the rule - and look at the Application logs too to make sure nothing is being blocked.

    Regards,

    Regis 

  • 0 in reply to Regis M

    Hi Regis, thank you for the reply.....

    now comes the stranger things....

    1. i don´t think that the IP address will be corrupted by other machines, it´s our gateway, if there is a problem on the gatway ip, nobody will enjoy internet (no?).

    2. WebFilter log

    all fine

    3. no app policy configured

    4. here below the situation on the laptop

    BTW....i tested over Wifi same......other cable (other switch)...same......only with the Hotspot with my mobile works fine.......i have still no ideas....

  • 0 in reply to Stefano Sorrentino

    Can you give me an output of the laptop's "ipconfig /all" and "arp -a" ? The information I'm after is the DHCP/DNS and the MAC Address associated with the ip address 30.1 on both of the computer that are having issues - and 1 that doesn't have the issue - to make sure the MAC address for 30.1 is the same and all DHCP/DNS are consistent on all the devices.

  • 0 in reply to Regis M

    Here we are....

    first my laptop....working laptop

    then the laptop that is not working

    sigh.... :-(

  • 0 in reply to Stefano Sorrentino

    What are 30.2, 30.3 and 30.90?  Can you also include the arp -a for those 3 ips (non-working and working computers)?

    What I can see right off the bat is that the DHCP server for your not-working computer and your working computer are different.  Your working computer receives the IP from 30.2 whereas the non-working computer receives the IP from 30.90?

  • 0 in reply to Regis M

    30.2 is DC with DHCP+DNS

    30.3 is DC with DNS

    30.90 is a DHCP in load balancing with the 30.2 (same scope)

  • 0 in reply to Stefano Sorrentino

    Can you check your DHCP Tables on both of your DHCPs to make sure there are no duplicate IP Leases?

    Sorry I'm asking all this - I just like to start from the beginning and understand what's in place.  But when this is done, at this point, we can be quite confident that the "spoofed" log is not on the network side...

  • 0 in reply to Regis M

    No worries, the two tables are identical as i expected, the scope is the same :-)

  • 0 in reply to Stefano Sorrentino

    Okay - keep your non-working laptop close

    On your XG - go on "Diagnostics", Packet Capture, click "Configure", and write "host 192.168.30.114" like so:

    Click "Save", and toggle the packet capture switch on - then try to go on youtube again, and any other websites that aren't working.  Once you've done that - toggle the packet capture off - and check the outputs.  Look for the following:

    The Source MAC Address should always be the same.  Also, in the output table, you will see the statuses for the different packets, along with the rule the packet used to go out.  From there, we will have a better idea of what is going on.

    QUICK NOTE - DON'T LEAVE THE PACKET CAPTURE ON TOO LONG...  I had some issues where the firewall became unresponsive for a few mins...

  • 0 in reply to Regis M

    Sorry Regis,

    now i´m a little bit confused...have i to shutdown the not working laptop? i probably misundestood from where i have to call youtube.com after the modify to the capture filter....my fault....