Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 983 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS engine error: FLOW_TIMEOUT through IPSec Remote Access Tunnel

Markus Ottmann1

Hello community,

we are facing a strange behavior since we´ve updated our XGS4500 to SFOS 19.5.0 GA-Build197. Some website are not fully accessible through IPSec Remote Access Tunnel (via Sophos Connect Client).

The first line of the above SSL/TLS inspection log shows the error while accessing a website from github.com through the tunnel.

The second line shows a successful access of the same website from an internal client.

Both traffic flows passing the same rules.

When the traffic goes through the tunnel it looks like that the tls specific informations get lost.

Firewall acceleration is enabled and loaded as well as IPsec acceleration is turned on.

This behavior is browser independent. We've tried same versions of Google Chrome and Microsoft Edge on both devices in normal and incognito mode.

I am grateful for any idea that solves the problem.

Best regards

Markus



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Raphael Alganes

    Hi Raphael,

    I´ve send you the access id via PM.

    Most of the configuration is migrated from an XG450 19.0 where we had no issues. After migration to XGS we´ve enabled firewall and ipsec acceleration features.

    Best regards

    Markus

  • 0 in reply to Markus Ottmann1

    Hi  ,

    Good day and hope you are well. 

    May we ask you to try and disable firewall acceleration: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/SystemCommands/index.html#firewall-acceleration

    then please let us know if disabling firewall accel and see if the broken flow is now passing with TLS inspection successfully.

    Please note that Turning firewall acceleration on or off restarts DPI each time (about 30secs to fully load). That being said, We would be advising to run the command in offhours/window hours to lessen network impact.

    Kindly update us of the outcome. Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

  • 0 in reply to Raphael Alganes

    Hi Raphael,

    after disabling IPSec and firewall acceleration the FLOW_TIMEOUT errors with TLS version "unknown" are gone. The sites which are not accessible through IPsec Remote Access VPN are now accessible.

    But there are still FLOW_TIMEOUT errors in the SSL/TLS inspection log:

    These errors are also from internal clients, but it seems that there is no impact. Anyway, I don't get any feedback from my colleagues that there are problems when calling web pages. Also, I cannot reproduce these errors.

    Regarding MTU size I´ve done some testing from an internal server:

    As I understand it, the MTU (1500) and MSS (1460) values are set correctly in XGS.

    UPDATE: I take it all back. After disabling the acceleration features the log is full of "Dropped due to TLS engine error: OUT_OF_MEMORY[201]" errors regarding internal and remote clients.

    Best regards
    Markus