Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 921 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG "crashing" VDSL modem

Dingo Jack

I am not sure how this is possible, but I have issues where the XG firewall causes my FTTN DSL modem to stop responding.

Intended Layout (worked for years using VMware workstation edition, recently moved to Hyper-V but think it worked for a while) is:

PC -> Hyper-V Internal Network -> Hyper-V XG [latest ver] -> Physical NIC (not in use by management OS) -> DSL Modem.

There are other connections to the XG (2 other physical NICs, 1 connected to a Cisco switch sucessfully running OSPF with XG and CCTV Cameras and the second NIC connects to a Smart TV). There are several VMs connecting to XG (CCTV sw, Windows PC, DMZ server).

When the computer starts, everything works fine. Full internet. After about 4 to 5 minutes, I start getting timeout errors on ping and these last for about 5 minutes.

During this time, mobile phone devices which are connected to the DSL Modem (and therefore not going through Sophos) also lose Internet connectivity. Even the modem's internal diagnostics fail (i.e. it can't ping Internet DNS servers). If I turn off the XG and reconfigure physical host NICs to bypass it, I still don't get internet for several minutes. 

I have tried a different brand modem, no change. Different NICs (Intel/Realtek), no change.

If I disable in hyper-v the NIC going from XG to the Internet this issue does not happen.

If I change the VMs to go direct to the Internet, it does not happen.

It only happens when XG has a connection to the Internet adaptor, even with no VMs or anything else using it.

I reinstalled XG (but restored backup configuration) same issue.

I am really curious as to what in the XG could interfere with 2 different brand modems like that, that even wifi devices connecting to the modem no longer get Internet and the modem itself no longer gets Internet. It's almost like it's somehow triggering packet blocking somewhere. But with no machines putting traffic through, it is something originating from the XG. 

XG Logs not really show anything helpful. Have turned off IPS and ATP.

Please give me some ideas on what to look for. 



This thread was automatically locked due to age.
Parents
  • 0

    I assume you are using hyper-v on your PC to test the XG,not put it into production?

    Check your IP address you might be having a clash and the modem doesn't like it?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    hello. I believe I have found the issue and resolved it, but not sure what the root cause is.

    Sophos would cause this issue upon start-up, then randomly and would occur less and less the longer it was running.

    It would effectively crash the modem rendering it inoperable for several minutes (up to ten minutes). During this time, wi-fi on the modem would not work, and other devices plugged directly into the modem (i.e. not behind sophos) also would not work. I tried 2 different brand modems.

    I also reverted to Windows 10 and got the same behaviour. However, running wireshark, although everything else was dead, there was a flood of DNS lookups, seemingly to be google servers. Over and over and over again. I was suspecting Hyper-V was the cause but only with Gen 1 machines. However, I have linux lamp which is gen 1 and it works fine and does not cause the issue. Windows machines using the internet access also did not cause the issue. So I knew at this stage that Sophos was the culprit of rendering the modem useless for several minutes.

    So I installed a fresh version of Sophos. There was no issues until the second I entered an IP address on the WAN (through the console). Nothing was configured, registered, no serial entered. I installed into hyper v and went straight to the console, accepted the agreement and set an IP address. It got DNS from DHCP on the lan interface i think. Again back to wireshark. A flood of DNS lookups returning various google servers. Lots of them. Now I do not understand why sophos is making the same DNS query over and over and over again so I configured a local DNS caching server on windows 10 (deadwood). So i turned off sophos. The modem remained in a non-responsive state for several minutes still. I then powered on sophos with the internet disconnect and configured it to use my internal caching server. And it worked perfectly.

    So I wipe the computer and reinstall windows 11. Load up sophos and it crashes again regularly. I changed the DNS from 1.1.1.1 to 8.8.8.8 (which is what deadwood was using) and sophos kept crashing the DSL modem. 

    I have now set sophos to use the DSL modem as DNS server and it seems to have fixed the issue. Still the odd packet loss, but very short lived. Too early to say if this has totally fixed it, but it is certainly a lot more reliable and definately usable now.

    So the questions are:

    1. How the heck is a modem dying like that, taking minutes to recover after sophos is turned off. And to 2 different brands of modem as well.

    2. Why is going to 1.1.1.1 or 8.8.8.8 causing this issue whereas using the modem (which is using my ISPs DNS) not causing the issue.

    3. Why is sophos seeming to make so many of the same DNS queries so often? I suspect this is triggering some abuse/malware filter somewhere, maybe by the ISP? At any rate, it shouldnt take down the whole modem.

  • 0 in reply to Dingo Jack

    Sophos uses the TTL (time to live) of the DNS reply. Means if its low, it will always query. On SFOS there are several pre configured DNS hosts, which SFOS tries to resolve all the time (keep the cache fresh). If SFOS does not get a reply, it will query again. 

    https://support.sophos.com/support/s/article/KB-000039373?language=en_US

    You can adjust the TTL, if the TTL of the modem is "bad". 

    __________________________________________________________________________________________________________________

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?