Hey there,
we're currently facing a serious issue with a brand new XGS116 (SFOS 18.5.3 MR-3-Build408) and already contacted Sophos support about this, but unfortunately they don't seem to be able to help us.
We switched one of our customer's UTM with a XGS116 a few weeks ago. Anyway, we set up an IPSec tunnel to another hosting company, who is hosting their SAP Database. Same setup as before. Tunnel is stable and it basically never disconnects.
But here's the issue. At some point, and this happens multiple times every day, the SAP program freezes and packages are being dropped by the firewall. Application filter, Webfilter etc. is not even licensed and we already turned off IPS and everything else that might cause this (plus, the Sophos support double checked this too).
What we're seeing in the logs of the firewall the moment it happens is this:
messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="xfrm2" in_display_interface="xfrm2" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="10.213.42.11" src_country="R1" dst_ip="192.168.105.161" dst_country="R1" protocol="TCP" src_port="3200" dst_port="57133" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid packet." appresolvedby="Signature" app_is_cloud="0"
messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="1" nat_rule_id="0" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="10.213.42.11" src_country="R1" dst_ip="192.168.105.161" dst_country="R1" protocol="TCP" src_port="3200" dst_port="57133" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP state." appresolvedby="Signature" app_is_cloud="0"
We also checked the log on the other site of the tunnel and it says the client closed the connection.
What we tried so far:
- Re-created the tunnel on both sites
- Switched from a site-to-site tunnel to a route-based tunnel
- Re-created the rules
- Deleted/Added new rules (LAN-VPN, also WITH the Sophos support)
- Setup a bypass rule, which caused the tunnel to not work anymore.
The local subnet is 192.168.105.0/24 and the subnet on the other site of the tunnel is 10.213.42.0/24. Remote access works fine too.
Here's a screenshot of the firewall rule:
We really do not wanna do a factory reset cause we already setup 2FA with every employee, but we're completely lost here. It doesn't make any sense and we haven't heard back from Sophos support in over a week.
Could this be a firmware or even hardware issue? Any help is much appreciated! Thank you!
This thread was automatically locked due to age.
