Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos xg85 WLAN - separate zone issues

Hi,

with our new xg85 for our Branch Office we have a Problem with the guest WLAN with separate zone. Most Websites are hanging and some doesn't come up completeley.

With a test WLAN with bridge to ap-lan everything works fine.

This are normal wlans with wpa2 personal/AES Security. For the guest WLAN the policy ist set from  this LAN-segment  with any services to wan is allowed. Same rule for bridge-to LAN works perfect.

Any hints?

Thanks you,

best regards,

Markus



This thread was automatically locked due to age.
  • Hi Markus,

    Well it sounds like the same exact scenario I have dealt with so hopefully this will help you.  This string that you run in the advanced shell - in the CLI use option 5 and then 3.  Use "ifconfig" to locate the name of your Separate Zone interface and then replace <interface> in the string with your interface name.  Keep in mind this is only a temporary fix so even if the appliance is rebooted the string will be removed from the iptables and will have to be entered again.  I have been advised that the actual fix which will not be a TCP-MSS adjustment will be included in V16.  I am not sure if you are using the web filter or not on your SZ policy but with that enabled I had seen these issues not be as bad as the Sophos is proxying the traffic and handling the web requests so the MTU was not as much of an issue and pages seemed to load more consistently.

    iptables -I FORWARD 1 -i <interface> -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280

    If you are using the web filter on a SZ policy then you are also probably noticing very slow speeds on that SSID, if this is the case you can also run the following command with your interface name injected and you should see a large increase in performance on the SZ SSID.  Again this is a temporary fix for a separate issue on the SZ interfaces, to revert this change just run the command again and change off to on.

    ethtool -K <interface> tso off

    Let me know how you make out.

    Thanks,

    Hugh