Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 19 SD WAN Application timeout

Geniux

I have XG V19 Firewalls and created a SD-WAN policy to handle traffic for Site 2 Site Route based IPSec VPN with xfrm interfaces.

it works great, just some strange issue, many application that are used over that VPN timeout and crash after around 15 - 20 minutes,

so if a user has open an RDP session it will suddenly crash



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Geniux

    okay then, rest looks fine. continue to observe with the change made in SLA and revert us the results...

  • 0 in reply to Vivek Jagad

    Still disconnecting applications 

  • 0 in reply to Geniux

    Can you take a tcpdump on RDP session on Port 3389
    putty ssh > admin credentials > press 5 for the  Device Management > press 3 for the advance shell 
    # tcpdump -nei any port 3389 
    Under the putty session > under the logging > ensure all session output is selected
    And under the window > linces of scrollback = 20000000
    And wait for the disconnection...
    and then share the output to analyze the traffic...

  • 0 in reply to Vivek Jagad

    see attached a capture of a "radmin viewer / server" from 192.168.1.250 to 192.168.4.159 port 48991 over  the VPN.

    it dropped suddenly

    totermw - 20220601-233856128-M0400.txt

  • 0 in reply to Geniux

    Okay, can you also provide us an output of the following from: 
    putty ssh > admin credentials > press 4 for the device console:
    console> system route_precedence show

  • 0 in reply to Vivek Jagad

    Default routing Precedence:
    1. SD-WAN policy routes
    2. VPN routes
    3. Static routes

  • 0 in reply to Geniux

    Hello ,

    Conduct a session again, and wait for the disconnection to happen again:
    in the process, capture the following things:

    1.) Tcpdump again 
    2.) Drop packet capture: 
    Monitor dropped packets using CLI : https://support.sophos.com/support/s/article/KB-000036858?language=en_US
    3.) Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_US
    4.) Create and download a packet capture : https://support.sophos.com/support/s/article/KB-000037007?language=en_US
    5.) And run a live conntrack: conntrack -E -d <dstp ip> | grep <src ip> 

  • 0 in reply to Vivek Jagad

    see attached packet capture, it's possible that the capture stopped before the connection dropped.

    the connection was from 192.168.1.250 to 192.168.4.159 port 48991

    totermw - 20220603-005359940-M0400.txt

    Fullscreen totermw - 20220603-005608740-M0400.txt Download 
    
Sophos Firmware Version SFOS 19.0.0 GA-Build317 

Main Menu 

    1.  Network  Configuration
    2.  System   Configuration
    3.  Route    Configuration 
    4.  Device Console 
    5.  Device Management
    6.  VPN Management
    7.  Shutdown/Reboot Device
    0.  Exit 

    Select Menu Number [0-7]: 5

Sophos Firmware Version SFOS 19.0.0 GA-Build317 

Device Management 

    1.  Reset to Factory Defaults
    2.  Show Firmware(s)
    3.  Advanced Shell
    4.  Flush Device Reports
    0.  Exit

    Select Menu Number [0-4]: 3


Sophos Firewall
===============
(C) Copyright 2000-2022 Sophos Limited and others. All rights reserved.
Sophos is a registered trademark of Sophos Limited and Sophos Group.
All other product and company names mentioned are trademarks or registered
trademarks of their respective owners.

For Sophos End User Terms of Use - https://www.sophos.com/en-us/legal/sophos-end-user-terms-of-use.aspx

NOTE: If not explicitly approved by Sophos support, any modifications
      done through this option will void your support.


SFVH_VM01_SFOS 19.0.0 GA-Build317# tcpdu
SFVH_VM01_SFOS 19.0.0 GA-Build317# tcpdump fil
SFVH_VM01_SFOS 19.0.0 GA-Build317# tcpdump f
feedbackconfig  fontconfig/

SFVH_VM01_SFOS 19.0.0 GA-Build317# tcpdump ffiledump 'host 192.168.4.159 -s0'
tcpdump: can't parse filter expression: syntax error
SFVH_VM01_SFOS 19.0.0 GA-Build317# exit

Sophos Firmware Version SFOS 19.0.0 GA-Build317 

Device Management 

    1.  Reset to Factory Defaults
    2.  Show Firmware(s)
    3.  Advanced Shell
    4.  Flush Device Reports
    0.  Exit

    Select Menu Number [0-4]: 0
Exit

Sophos Firmware Version SFOS 19.0.0 GA-Build317 

Main Menu 

    1.  Network  Configuration
    2.  System   Configuration
    3.  Route    Configuration 
    4.  Device Console 
    5.  Device Management
    6.  VPN Management
    7.  Shutdown/Reboot Device
    0.  Exit 

    Select Menu Number [0-7]: 4
Sophos Firmware Version SFOS 19.0.0 GA-Build317 

console> tcpdump filedump 
<text>     count      hex        interface  llh        no_time    quite      verbose    
console> tcpdump filedump 'ho' st 192.168.4.159 s) 0'
tcpdump: can't parse filter expression: syntax error
console> tcpdump filedump 'host 192.168.4.159 s0' 
tcpdump: can't parse filter expression: syntax error
console> tcpdump filedump 'host 192.168.4.159 s0'-s0'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
1000 packets captured
1131 packets received by filter
0 packets dropped by kernel
console> tcpdump filedump 'host 192.168.4.159 -s0'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
1000 packets captured
1176 packets received by filter
0 packets dropped by kernel
console>
    totermw - 20220603-005805005-M0400.txt
    Fullscreen totermw - 20220603-010029812-M0400.txt Download 
    
Sophos Firmware Version SFOS 19.0.0 GA-Build317 

Main Menu 

    1.  Network  Configuration
    2.  System   Configuration
    3.  Route    Configuration 
    4.  Device Console 
    5.  Device Management
    6.  VPN Management
    7.  Shutdown/Reboot Device
    0.  Exit 

    Select Menu Number [0-7]: 4
Sophos Firmware Version SFOS 19.0.0 GA-Build317 

console> drop-packet-capture ; ''p'o'r't' '4'8'9'9'1'
^Cconsole>

  • 0 in reply to Geniux

    Hello ,

    Thank you for providing the packet captures...
    Upon looking at the Conntrack captured we are able to see the initial tcp handshake:

    =============
    But it looks like while capturing the pcap file, the packet capture was started late and hence it did not capture the initial tcp-handshake and just data packets were captured:


    Looks like there is a latency on either side especially when the packets coming from 4.159...
    As you notice the delta time, the packet response almost took 16s to reply and if you noticed the time reference, the packet took 120s, i.e. 2 mins, so if the server side has request time out set to 2 mins, there are chances the session may disconnect. 

    You can compare this non-working scenario with the working scenario with the packet capture and try to diagnose whether or not latency occurs or not ? With the help of wireshark on either sides. 

    Based on that whatever the packet loss or re-transmission or dup-ack from the server side, you can fine tune the timeout settings on the server side with the help of your server team. 

    Additionally, on the Advance firewall settings you can toggle the following to see if that helps in improving the situation: 
    You can check the status by logging with the admin credential via putty by SSH protocol > press 4 for the device console: 

    console> show advanced-firewall
    ===============================

    And the try toggling the following:
    1.) Midstream Connection Pickup
    2.)  TCP Seq Checking
    3.)  TCP Window Scaling
    4.)  TCP Selective Acknowledgements 

    Commands can be found here along with the explanation: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/Set/index.html