Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1682 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG3300 Firewall MTU/MSS

Nick Goad

Hello all - I am currently using XG3300 Firewalls (SFOS 18.5.3 MR-3-Build408) in an HA pair as my main gateway/edge devices to the internet in my company.  I have 2 users that mostly work in a web based application and I am having a weird problem with just the two of them.  The web based application they use is a PLM (product lifecycle management) application so we have a catalog of parts our company uses in it with specs like measurements and other technical data.  The users will be logged into this web application working away and then sometimes when they go to save data that they have populated into form fields the connection to the site will sit for 20-30 seconds then they will get a "Your Connection has been Reset" error in their browser (same thing happens in Chrome, Firefox, Edge I've had them try all 3 browsers).  It doesn't happen all the time - just randomly.  So I installed Wireshark on one of the computers and let it run and told the user to let me know when he had the issue and I would take a look at the packet data.  What I seem to be finding is that every time the user reported the problem I see correlating packets in Wireshark that have a length OVER 1500 (mostly 1514) between his computer and the public IP of the web application.  What is more is that the IPv4 flag for do not fragment is always set (0x40).  So right now all my switches are set to 1500 MTU on the ports and the firewall interfaces LAN/WAN are all set to MTU 1500/MSS 1460 (out of the box settings).  Do you think it is possible that I need to up the MTU/MSS on my LAN/WAN ports on the firewall to 1514 because of the way this web application is handling data?

I've also noticed that sometimes Wireshark will show TCP Out-Of-Order errors as well.  The company that hosts the web app is a huge company with many many customers and they say they don't have any other customers having this problem.

We were using some old SonicWall devices and it wasn't happening with them - its only started happening since I put in the Sophos XGs.  I do not know how the interfaces were setup in the SonicWall devices as I do not have any backup configs nor do I physically have them here anymore.

I will attach a screen shot of what the packet capture looks like during one of the disconnects.

     



This thread was automatically locked due to age.
Parents
  • 0

    Do you use STAS? Do you have STAS Quarantine enabled? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    No I do not use STAS - I do use Intercept X Advanced with XDR and MTR on all of my endpoints though which may possibly have some components of it since it has a heartbeat sync with the firewall.  Although I think it does all that through Central if I'm not mistaken.

  • 0 in reply to Nick Goad

    Hi Nick Goad

    Please troubleshoot the issue with Plain/bypass firewall rule for that two users add system IP under Source networks and devices on firewall rule and check it working with the same rule or not ?

    From SSH Go to option 4 and check drop as per the link command available 

    https://support.sophos.com/support/s/article/KB-000036858?language=en_US 

    Share the suspicious logs and status working with plain rule ?

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Nick Goad

    Could you do the following (step by step) and check, if any of those steps resolves your Issue? 

    https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/134998/troubleshoot-a-broken-application-in-sfos

    Please do not do "everything at once" instead, try each step and see, if it still occur. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I am looking in the firewall logs now that I have captured quite a bit of information from Wireshark packets and what I am seeing is lots of traffic that is coming BACK IN from the WAN (internet) zone to the LAN zone and still some that is leaving the packets are being denied but the only reason the log gives is either "Invalid Packet" or "could not associate packet to any connection".

    All these log entries have a Log Comp of "Invalid Traffic",  Nat rule of 0 and a rule type of 0 so that doesn't really tell me much.

    I do have 2 WAN links (2 providers) for redundancy and they are just set up to load balance but I configured an SD-WAN rule to only make traffic for this side go out of one of them which from the interfaces in the logs it looks like it is using the correct internet connection.

    What doesn't make sense is that there will be a ton of packets that go out fine then all the sudden there will be a bunch of invalid ones.

Reply
  • 0 in reply to LuCar Toni

    I am looking in the firewall logs now that I have captured quite a bit of information from Wireshark packets and what I am seeing is lots of traffic that is coming BACK IN from the WAN (internet) zone to the LAN zone and still some that is leaving the packets are being denied but the only reason the log gives is either "Invalid Packet" or "could not associate packet to any connection".

    All these log entries have a Log Comp of "Invalid Traffic",  Nat rule of 0 and a rule type of 0 so that doesn't really tell me much.

    I do have 2 WAN links (2 providers) for redundancy and they are just set up to load balance but I configured an SD-WAN rule to only make traffic for this side go out of one of them which from the interfaces in the logs it looks like it is using the correct internet connection.

    What doesn't make sense is that there will be a ton of packets that go out fine then all the sudden there will be a bunch of invalid ones.

Children
No Data
Unfiltered HTML