Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1682 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG3300 Firewall MTU/MSS

Nick Goad

Hello all - I am currently using XG3300 Firewalls (SFOS 18.5.3 MR-3-Build408) in an HA pair as my main gateway/edge devices to the internet in my company.  I have 2 users that mostly work in a web based application and I am having a weird problem with just the two of them.  The web based application they use is a PLM (product lifecycle management) application so we have a catalog of parts our company uses in it with specs like measurements and other technical data.  The users will be logged into this web application working away and then sometimes when they go to save data that they have populated into form fields the connection to the site will sit for 20-30 seconds then they will get a "Your Connection has been Reset" error in their browser (same thing happens in Chrome, Firefox, Edge I've had them try all 3 browsers).  It doesn't happen all the time - just randomly.  So I installed Wireshark on one of the computers and let it run and told the user to let me know when he had the issue and I would take a look at the packet data.  What I seem to be finding is that every time the user reported the problem I see correlating packets in Wireshark that have a length OVER 1500 (mostly 1514) between his computer and the public IP of the web application.  What is more is that the IPv4 flag for do not fragment is always set (0x40).  So right now all my switches are set to 1500 MTU on the ports and the firewall interfaces LAN/WAN are all set to MTU 1500/MSS 1460 (out of the box settings).  Do you think it is possible that I need to up the MTU/MSS on my LAN/WAN ports on the firewall to 1514 because of the way this web application is handling data?

I've also noticed that sometimes Wireshark will show TCP Out-Of-Order errors as well.  The company that hosts the web app is a huge company with many many customers and they say they don't have any other customers having this problem.

We were using some old SonicWall devices and it wasn't happening with them - its only started happening since I put in the Sophos XGs.  I do not know how the interfaces were setup in the SonicWall devices as I do not have any backup configs nor do I physically have them here anymore.

I will attach a screen shot of what the packet capture looks like during one of the disconnects.

     



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    I am looking in the firewall logs now that I have captured quite a bit of information from Wireshark packets and what I am seeing is lots of traffic that is coming BACK IN from the WAN (internet) zone to the LAN zone and still some that is leaving the packets are being denied but the only reason the log gives is either "Invalid Packet" or "could not associate packet to any connection".

    All these log entries have a Log Comp of "Invalid Traffic",  Nat rule of 0 and a rule type of 0 so that doesn't really tell me much.

    I do have 2 WAN links (2 providers) for redundancy and they are just set up to load balance but I configured an SD-WAN rule to only make traffic for this side go out of one of them which from the interfaces in the logs it looks like it is using the correct internet connection.

    What doesn't make sense is that there will be a ton of packets that go out fine then all the sudden there will be a bunch of invalid ones.

  • 0 in reply to LuCar Toni

    Can I do this during production hours without resetting connections/interfaces or should I do it during off hours?

  • 0 in reply to Nick Goad

    You should do this tests with a downtime window, just in case. Normally this will not affect active connections.  

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok but just FYI when I put the log in detailed view none of the error packets are using the SSL/TLS inspection engine only the firewall.  And many of them are marked as "Could not associate packet to any connection."

  • 0 in reply to LuCar Toni

    And I've actually already gone into Protection -> Advanced Threat Protection and added the FQDNs of the sites to the Network/Host Exceptions list and that did not help fix the issue.

  • 0 in reply to Nick Goad

    The ATP Bypass via CLI is something else. It works on a different level on the CLI please try it there. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok I have excepted the ATP from the firewall rule that allows the traffic from the LAN -> WAN to the specific FQDNs of this web service.  I will check with the users and see if this makes any difference.

Unfiltered HTML