Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 23629 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos xg85 WLAN - separate zone issues

frozeneye

Hi,

with our new xg85 for our Branch Office we have a Problem with the guest WLAN with separate zone. Most Websites are hanging and some doesn't come up completeley.

With a test WLAN with bridge to ap-lan everything works fine.

This are normal wlans with wpa2 personal/AES Security. For the guest WLAN the policy ist set from  this LAN-segment  with any services to wan is allowed. Same rule for bridge-to LAN works perfect.

Any hints?

Thanks you,

best regards,

Markus



This thread was automatically locked due to age.
Parents

  • Markus,

    Not sure if you got answers on this - it is due to the MTU setting of the Separate Zone interface, it is set to 1450 to allow for overhead of the VPN tunnel that goes between the AP and the Sophos appliance to create the virtual separate zone network.  Sophos UTM9 used an MTU of 1500, for some reason it got changed to 1450 within the XG framework and there are several devices or OS's out there that do not automatically discover the MTU size therefor fragmentation occurs and it causes many odd traffic issues.  Sophos is currently working on developing a fix for this in their V16 of the OS, there is a command you can run in the advanced shell to adjust the TCP-MSS on the Separate Zone interface to resolve this issue temporarily.  Let me know if you need this.

    Thanks,
    Hugh

  • in reply to hjherron6

    Hi Hugh,

    thanks for your reply! The issue ist not solved so far so it would be nice for me to get the workaround. Please let me know the needed details.

    We use the XG and their seperate WLAN Zones only for guest networks in our Branch Offices so the problem was not the biggest one... In out Main Office / Datacenter we still have our UTM- Cluster and I think we will work with that a bit longer... ;)

    Thanks for your help,

    cheers,

    Markus

  • in reply to frozeneye

    Hi Markus,

    Well it sounds like the same exact scenario I have dealt with so hopefully this will help you.  This string that you run in the advanced shell - in the CLI use option 5 and then 3.  Use "ifconfig" to locate the name of your Separate Zone interface and then replace <interface> in the string with your interface name.  Keep in mind this is only a temporary fix so even if the appliance is rebooted the string will be removed from the iptables and will have to be entered again.  I have been advised that the actual fix which will not be a TCP-MSS adjustment will be included in V16.  I am not sure if you are using the web filter or not on your SZ policy but with that enabled I had seen these issues not be as bad as the Sophos is proxying the traffic and handling the web requests so the MTU was not as much of an issue and pages seemed to load more consistently.

    iptables -I FORWARD 1 -i <interface> -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280

    If you are using the web filter on a SZ policy then you are also probably noticing very slow speeds on that SSID, if this is the case you can also run the following command with your interface name injected and you should see a large increase in performance on the SZ SSID.  Again this is a temporary fix for a separate issue on the SZ interfaces, to revert this change just run the command again and change off to on.

    ethtool -K <interface> tso off

    Let me know how you make out.

    Thanks,

    Hugh

Reply
  • in reply to frozeneye

    Hi Markus,

    Well it sounds like the same exact scenario I have dealt with so hopefully this will help you.  This string that you run in the advanced shell - in the CLI use option 5 and then 3.  Use "ifconfig" to locate the name of your Separate Zone interface and then replace <interface> in the string with your interface name.  Keep in mind this is only a temporary fix so even if the appliance is rebooted the string will be removed from the iptables and will have to be entered again.  I have been advised that the actual fix which will not be a TCP-MSS adjustment will be included in V16.  I am not sure if you are using the web filter or not on your SZ policy but with that enabled I had seen these issues not be as bad as the Sophos is proxying the traffic and handling the web requests so the MTU was not as much of an issue and pages seemed to load more consistently.

    iptables -I FORWARD 1 -i <interface> -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280

    If you are using the web filter on a SZ policy then you are also probably noticing very slow speeds on that SSID, if this is the case you can also run the following command with your interface name injected and you should see a large increase in performance on the SZ SSID.  Again this is a temporary fix for a separate issue on the SZ interfaces, to revert this change just run the command again and change off to on.

    ethtool -K <interface> tso off

    Let me know how you make out.

    Thanks,

    Hugh

Children
No Data