This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS engine error: FLOW_TIMEOUT through IPSec Remote Access Tunnel

Hello community,

we are facing a strange behavior since we´ve updated our XGS4500 to SFOS 19.5.0 GA-Build197. Some website are not fully accessible through IPSec Remote Access Tunnel (via Sophos Connect Client).

The first line of the above SSL/TLS inspection log shows the error while accessing a website from github.com through the tunnel.

The second line shows a successful access of the same website from an internal client.

Both traffic flows passing the same rules.

When the traffic goes through the tunnel it looks like that the tls specific informations get lost.

Firewall acceleration is enabled and loaded as well as IPsec acceleration is turned on.

This behavior is browser independent. We've tried same versions of Google Chrome and Microsoft Edge on both devices in normal and incognito mode.

I am grateful for any idea that solves the problem.

Best regards

Markus

This thread was automatically locked due to age.

0 LuCar Toni over 2 years ago

Go to the Logviewer, take this IP address (Dst) and search for it as a string. Then move to detailed view in Logviewer.

Check if there are other modules blocking this.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Markus Ottmann1 over 2 years ago in reply to LuCar Toni

Thanks for your quick answer. But there are no other lines indicating a blocking by another module. I´ve checked ATP-, application-, firewall-, IPS-, malware-, web content- and web filter logs. That would be even stranger, since both clients run through the same rules and policies.

We can workaround this by using the default "maximum compatibility" decryption profile. But this is not our goal. We want to use the same "strict compliance" decryption profile for the remote workers as it works perfect for all internal clients.
Cancel
Vote Up 0 Vote Down

Cancel
0 Erick Jan over 2 years ago

Hi Markus,

Thank you for reaching out to Sophos Community.

Kindly share the Case ID.

If there’s no case ID, we strongly advise you to kindly create one.

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Markus Ottmann1 over 2 years ago in reply to Erick Jan

Hi Erick,

support case is opened. I have send you the ID via PM.
Cancel
Vote Up 0 Vote Down

Cancel
0 Raphael Alganes over 2 years ago

Hi Markus Ottmann1 ,

Good day and thanks for reaching out to Sophos Community and hope you are well.

May we check, was this working fine before (if yes, on what version?) and then after upgrading to 19.5 it did not work anymore? Or is this newly configured functionality that has been added after upgrading to 19.5?

Further, May we verify that the MTU is correct, as per: https://support.sophos.com/support/s/article/KB-000038555?language=en_US

I also sent you a DM requesting for the AccessID of your device to be enabled. Kindly reply back to the DM with the AccessID.

Thanks for your time and patience and Thank you for choosing Sophos.

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Markus Ottmann1 over 2 years ago in reply to Raphael Alganes

Hi Raphael,

I´ve send you the access id via PM.

Most of the configuration is migrated from an XG450 19.0 where we had no issues. After migration to XGS we´ve enabled firewall and ipsec acceleration features.

Best regards

Markus
Cancel
Vote Up 0 Vote Down

Cancel
0 Raphael Alganes over 2 years ago in reply to Markus Ottmann1

Hi Markus Ottmann1 ,

Good day and hope you are well.

May we ask you to try and disable firewall acceleration: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/SystemCommands/index.html#firewall-acceleration

then please let us know if disabling firewall accel and see if the broken flow is now passing with TLS inspection successfully.

Please note that Turning firewall acceleration on or off restarts DPI each time (about 30secs to fully load). That being said, We would be advising to run the command in offhours/window hours to lessen network impact.

Kindly update us of the outcome. Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Markus Ottmann1 over 2 years ago in reply to Raphael Alganes

Hi Raphael,

after disabling IPSec and firewall acceleration the FLOW_TIMEOUT errors with TLS version "unknown" are gone. The sites which are not accessible through IPsec Remote Access VPN are now accessible.

But there are still FLOW_TIMEOUT errors in the SSL/TLS inspection log:

These errors are also from internal clients, but it seems that there is no impact. Anyway, I don't get any feedback from my colleagues that there are problems when calling web pages. Also, I cannot reproduce these errors.

Regarding MTU size I´ve done some testing from an internal server:

As I understand it, the MTU (1500) and MSS (1460) values are set correctly in XGS.

UPDATE: I take it all back. After disabling the acceleration features the log is full of "Dropped due to TLS engine error: OUT_OF_MEMORY[201]" errors regarding internal and remote clients.

Best regards
Markus
Cancel
Vote Up 0 Vote Down

Cancel