Hello all - I am currently using XG3300 Firewalls (SFOS 18.5.3 MR-3-Build408) in an HA pair as my main gateway/edge devices to the internet in my company. I have 2 users that mostly work in a web based application and I am having a weird problem with just the two of them. The web based application they use is a PLM (product lifecycle management) application so we have a catalog of parts our company uses in it with specs like measurements and other technical data. The users will be logged into this web application working away and then sometimes when they go to save data that they have populated into form fields the connection to the site will sit for 20-30 seconds then they will get a "Your Connection has been Reset" error in their browser (same thing happens in Chrome, Firefox, Edge I've had them try all 3 browsers). It doesn't happen all the time - just randomly. So I installed Wireshark on one of the computers and let it run and told the user to let me know when he had the issue and I would take a look at the packet data. What I seem to be finding is that every time the user reported the problem I see correlating packets in Wireshark that have a length OVER 1500 (mostly 1514) between his computer and the public IP of the web application. What is more is that the IPv4 flag for do not fragment is always set (0x40). So right now all my switches are set to 1500 MTU on the ports and the firewall interfaces LAN/WAN are all set to MTU 1500/MSS 1460 (out of the box settings). Do you think it is possible that I need to up the MTU/MSS on my LAN/WAN ports on the firewall to 1514 because of the way this web application is handling data?
I've also noticed that sometimes Wireshark will show TCP Out-Of-Order errors as well. The company that hosts the web app is a huge company with many many customers and they say they don't have any other customers having this problem.
We were using some old SonicWall devices and it wasn't happening with them - its only started happening since I put in the Sophos XGs. I do not know how the interfaces were setup in the SonicWall devices as I do not have any backup configs nor do I physically have them here anymore.
I will attach a screen shot of what the packet capture looks like during one of the disconnects.
This thread was automatically locked due to age.
