Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1464 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Xfinity Bridge Mode - Gateway Goes Down after 2 Minutes Following "Upgrades" to our Service

Cole Wilson2

Hey guys,

Since Monday morning (7:26 AM), Xfinity was "doing some work to upgrade your services" in my apartment complex. I have two XG home editions, running on different hardware, that are able to initially connect once putting the Xfinity gateway into bridged mode as usual, but after about 2 minutes (give or take a few seconds), the gateway just turns red and inexplicably I am not able to do anything.

This issue has persisted with V18.5.XX and V19, on two different pieces of hardware. Additionally, I've tried a real Sophos XG hardware appliance, the same result... 

It seems like something has been changed to me, almost exactly 2 minutes following a working connection it just turns red, and nothing can get past the default gateway. Is anything seeing anything similar with Xfinity home Internet gateways in bridged mode? I even had the gateway (the modem) REPLACED by Xfinity. It makes absolutely zero sense. 

I've run Sophos XG at home in my network since 2019. This is the FIRST time I've had issues, and I've had Xfinity in the past for 2 years, and AT&T for 1. 



This thread was automatically locked due to age.
Parents
  • 0

    You need to difference: The WAN Link Manager will do the health check based on ICMP (default) on the device itself. This could be faulty. Check the WAN Link Manager and disable this health check to see, if the connection is actually healthy. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hey there, I know that the health check is based on ICMP by default, and I can confirm that it is not the issue.

    Same settings are in there, and changing to a keepalive service has the same result. It lasts longer than the 60-second timeout as well, and the log entry just says the gateway is down. Even when I am connected and get an IP address, and the "interface Port 2 is Up" log comes in, the "Gateway is up" entry does not come back unless I reboot the XG. I have years of experience with Sophos and I have never seen this before.

    All seems well for the first 2 minutes, then boom, nothing. 

    It's also worth noting that with the Xfinity Gateway not in bridged mode (operating as the router), and with my XG WAN interface set up to obtain DHCP that way, it does work. Only when the Xfinity Gateway is put into the bridged mode, it does not. It DOES get a WAN IP address and work for 2 minutes, then nothing. 

  • 0 in reply to Cole Wilson2

    Hello there,

    What is the IP that the XG is Pinging in the Failover Rule configured in the WAN Link Manager? Try changing that one to a Public IP such as 8.8.8.8 if it is pointing to the Gateway IP of your service provider. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hey there, yes I have tried 8.8.8.8 and 1.1.1.1 as failover ping values. Seems to have no difference.

  • 0 in reply to Cole Wilson2

    Maybe the Modem is blocking the firewall? As it works for some time and stops after those times, it could be a potential block based on MAC on the gateway product you use from the ISP. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yeah, I am not sure. I have tried overriding the MAC address used on the interface with an exact copy of the CMAC on the modem, but that did not work immediately, didn't even get the 2 minutes there. 

    Something changed when they did that "work", as if they are being sneaky and trying to force customers into using their equipment. 

    Doesn't make a whole lot of sense to me, and I'm not exactly a newbie to this. 

  • 0 in reply to Cole Wilson2

    Just to clarify: the Xfinity gateway is a modem-router combination and you're putting the router part into bridged mode? And you've had the gateway replaced since the problems started (or was it replaced a while back)?

    What if you don't place the gateway into bridged mode? You'll be double-NAT'd and other potential issues, but do you get beyond the 2 minute mark? Also, what happens if you run the Xfinity gateway in regular (not bridged) mode and hook up to it with your computer? Does it also drop the connection at 2 minutes? (Just trying to narrow down the issue.)

  • 0 in reply to Wayne Folta

    Thanks for replying!

    Yes, it is one of those "all-in-one" modem/router/wireless access point "gateways" as they call them. They replaced it this week after I got someone to come out, but I was stuck in a nice long government meeting and my girlfriend wasn't able to validate anything beyond it working in the default non-bridged mode.

    It is currently double NAT'd with the gateway, not in bridged mode, it has been working now for a little longer than 36 hours. 

    Gateway works fine directly connected to my computer, it is only when put into bridged mode. 

    It is working this way, but obviously, this is not ideal. I do not want to double NAT my network ;) 

  • 0 in reply to Cole Wilson2

    Hello,

    Does your Public IP is a Static or Dynamic? 

    In my case even if it’s static, I need to set it as DHCP otherwise the line will go down, try playing with the setting to see if that makes any difference.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    It's a dynamic standard public IP from a residential ISP. I've tried setting it to static configurations with default MAC Address, static configurations with the override set to the modem's MAC Address, DHCP with default MAC, and DHCP with the modem's MAC Address. 

    Spoofing the MAC address in either case (static or dynamic) results in an instant loss of connection, which is sort of strange to me as well.

    Once the modem goes into "bridged" mode, it should not even be performing ARP mappings, and so the public WAN would see the same public IP address, gateway, and even MAC Address of the modem. 

  • 0 in reply to Cole Wilson2

    Nothing static should work and no spoofing should work. Your firewall should be a DHCP client of the ISP to get all of its information.

    Just to review: You have Cox Cable Modem --> Cox Firewall/Router --> Sophos Firewall --> rest of your network. And if you set the Cox firewall to its default (no t bridge mode, doing NAT, etc) everything works, but if you set the Cox firewall to bridge mode, you get two minutes and you have no upstream. When it all goes away, can you get traffic to the Cox firewall or modem? (I.e. which piece of equipment is shutting the connection down?)

    I guess it also needs to be asked: how are you putting the Cox firewall into bridged mode? Could that have changed with their upgrades -- due to, say Cox firewall firmware updates?

  • 0 in reply to Wayne Folta

    It's an Xfinity Gateway, so it's an all-in-one modem/router/firewall/access point. I believe it is manufactured by Arris. I am just logging into the default web interface and clicking the "Enable bridge mode" toggle as I've done with every Xfinity gateway I've ever touched. 

    Once it all goes away, nothing seems to make it past the private IP gateway of the Sophos LAN port. Although, if I specify the public IP that is assigned by Xfinity to the Sophos, I do get a response, of course, because of NAT. 

    I cannot reach beyond the gateway, in this case, 10.10.11.1 to be clear unless I specifically ping the public IP assigned to the WAN interface from DHCP. 

    The log will initially have an entry stating that the gateway has come up, 2 minutes later, the gateway goes down. 

Reply
  • 0 in reply to Wayne Folta

    It's an Xfinity Gateway, so it's an all-in-one modem/router/firewall/access point. I believe it is manufactured by Arris. I am just logging into the default web interface and clicking the "Enable bridge mode" toggle as I've done with every Xfinity gateway I've ever touched. 

    Once it all goes away, nothing seems to make it past the private IP gateway of the Sophos LAN port. Although, if I specify the public IP that is assigned by Xfinity to the Sophos, I do get a response, of course, because of NAT. 

    I cannot reach beyond the gateway, in this case, 10.10.11.1 to be clear unless I specifically ping the public IP assigned to the WAN interface from DHCP. 

    The log will initially have an entry stating that the gateway has come up, 2 minutes later, the gateway goes down. 

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?