Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 23628 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos xg85 WLAN - separate zone issues

frozeneye

Hi,

with our new xg85 for our Branch Office we have a Problem with the guest WLAN with separate zone. Most Websites are hanging and some doesn't come up completeley.

With a test WLAN with bridge to ap-lan everything works fine.

This are normal wlans with wpa2 personal/AES Security. For the guest WLAN the policy ist set from  this LAN-segment  with any services to wan is allowed. Same rule for bridge-to LAN works perfect.

Any hints?

Thanks you,

best regards,

Markus



This thread was automatically locked due to age.

  • Hi,

    here is a tcpdump result when a client from this guest-wlan try to open werbsites:

    10:11:30.125306 vxlan3.100, IN: IP <Client-IP>.56114 > <Destination IP>.80: Flags [R.], seq 8592, ack 65315, win 0, length 0

    10:11:30.125306 <Guest-WLAN-Name>, IN: IP <Client-IP>.56114 > <Destination IP>.80: Flags [R.], seq 8592, ack 65315, win 0, length 0
    10:11:30.125740 vxlan3, IN: P <Client MAC-address> ethertype Unknown (0x0064), length 60:
    0x0000: 0000 0800 4500 0028 2bb3 4000 8006 5803 ....E..(+.@...X.
    0x0010: ac12 6465 0210 6492 db45 0050 5ae3 3e08 ..de..d..E.PZ.>.
    0x0020: b419 06b6 5014 0000 0966 0000 ....P....f..

    Any hints?

  • in reply to frozeneye

    Frozeneye,

    contact the Sophos support to check if it is a limitation with the current firmware.

    Luk

  • in reply to lferrara

    Luk,

    Support case is open since 2 days... Waiting for response...

    Regards, Markus

  • Hi Frozen,

    WLAN Separate seems fully functional in my test environments, out of curiosity can you check that DNS is allowed on the System > Administration > Device access page.

    When I first set up a separate zone in Beta I had a similar issue and it was because I had accidentally turned off DNS for the Guest Zone wireless.

    Probably a non issue but I've had that happen to a customer and I and it was a head scratcher for a moment!

  • in reply to Emile Belcourt

    Hi Emile,

    thanks but this was not the issue... DNS is active....

    Any other hints?

  • in reply to frozeneye

    Hi Frozen,

    I'm just gonna ask some starting Qs:

    Did you create the interface for the Separate Zone under System > Networks > Interfaces?

    Did you add the interface to an appropriate zone?

    Is that Zone able to do DNS under System > Administration > Device Access?

    Do you have DHCP for the SZ Wireless Network?

    (Follow on) Does the SZ Wireless Network DHCP point the users for DNS to the XG?

    (If not) Is there a policy rule to allow hosts in the SZ zone/subnet to DNS your internal DNS?

    (if yes) are you able use CLI NSLookup to point at googles DNS server to get a response?

    Do you have a policy for testing purposes to allow Any Service from the SZ network out to the internet?

  • in reply to Emile Belcourt

    Hi,

    i have since yesterday an AP15 in use. And i have the same Issue. Some Sites (www.speedtest.net) or IOS App ( Clash Of Clans) not working.

    Other Sties and Apps etc working. When i switch the Client Traffic to "Bridge to AP LAN" works all.

    MR-2 running. 

    Need Help

    Regards

  • We are having the same issue with an XG105 and MR3.

    We may be nearing a solution, though. It appears that it has to do with the policy for the outgoing connection to the internet.

    In the policy, if "WAN" is the target zone, then an option appears, where one can choose through which WAN connection to send the traffic.

    Standard is "Load-Balancing". In our case our customer has two WAN lines, therefore we choose the first one as primary with the secondary as failback.

    And in this case it doesn't work. While writing my support case to Sophos I detailed also this fact. And while writing I thought that perhaps this option might be the cause of the problem.

    And after setting it back to the standard setting, we can now open all webpages.

    Still an android device still doesn't connect automatically with this network because it says, it doesn't have an internet connection. But if connected manually it can actually open all the webpages, we couldn't open before.

    The problem seem therefore to lie in the policy settings for the masquerading.

    Will report it to Sophos and see what they tell us.

  • Markus,

    Not sure if you got answers on this - it is due to the MTU setting of the Separate Zone interface, it is set to 1450 to allow for overhead of the VPN tunnel that goes between the AP and the Sophos appliance to create the virtual separate zone network.  Sophos UTM9 used an MTU of 1500, for some reason it got changed to 1450 within the XG framework and there are several devices or OS's out there that do not automatically discover the MTU size therefor fragmentation occurs and it causes many odd traffic issues.  Sophos is currently working on developing a fix for this in their V16 of the OS, there is a command you can run in the advanced shell to adjust the TCP-MSS on the Separate Zone interface to resolve this issue temporarily.  Let me know if you need this.

    Thanks,
    Hugh

  • in reply to hjherron6

    Hi Hugh,

    thanks for your reply! The issue ist not solved so far so it would be nice for me to get the workaround. Please let me know the needed details.

    We use the XG and their seperate WLAN Zones only for guest networks in our Branch Offices so the problem was not the biggest one... In out Main Office / Datacenter we still have our UTM- Cluster and I think we will work with that a bit longer... ;)

    Thanks for your help,

    cheers,

    Markus