Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 16281 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

unable to reach public ip's.

ReinoutNL

Hi,

 

for a couple of month's now i've been having intermittenly problems with traffic thats going to public (IP) destinations. for instance everything is running smooth and all of sudden you can't resolve a page any more if you try to do a ping  to the DNS FQDN it won't work.

 

First i thought it was a DNS issue, but it wasn't. )The DNS servers are internal and are reachable and they forward the traffic to public DNS servers and thats where i noticed it when't wrong.  The firewall itself is reachable internaly but everything connected on the WAN port isn't from the LAN ip space.

 

I've switched the profiles of the IPS, I've double checked the firewall rules, i've scoured the logs (Thank god you guys are going to fix this in the 17 patch, right?) but to no avail. Is there anybody who knows why this is happening?

I've had this with versions running from 15.x.x to current latest firmware version. (home license)

Regards,

 

Reinout



This thread was automatically locked due to age.
  • 0

    Reinout,

    when you are experiencing the issue, what is the output of a ping command? Any interesting log inside System Logs, IPS Logs?

    Also make sure your patterns are correctly updated.

    Thanks

  • 0 in reply to lferrara

    Hi,

     

    ping returns "No reply", no traffic to public ip's is at that point possible. The log's don't show anything specific. (or where would you look?, i checked the "firewall" and IPS logs) I see some activity based on DNS but that should block specific traffic not all traffic. for instance if i ping the ip 8.8.8.8 that doesn't respond.

    The whole firewall is up to date. nothing is lagging.

     

    Regards,

     

    Reinout

  • 0

    Hi Reinout,

    When the incident takes place, do "tracert -d xyz.com" and post the output. Check #1 in my guide here and monitor the drop packet capture. Alongside, with the help of packet capture let us know which firewall rule id forwards the traffic.

    Thanks

  • 0 in reply to sachingurung

    better do a "tracert -d 8.8.8.8" , since resolving the FDQN doesn't work to begin with.

  • 0 in reply to sixteen again

    Hi sorry,

     

    for responding so long after your post(s) but i was very busy with other stuff. (Work related) Tracert 8.8.8.8 don't work they go from normal working tracert results to nothing next hop not found.

     

    Secondly i tried making a dump of specific traffic that wasn't being resolved anymore during one of those outages, but i didn't see anything....

     

    Any other ideas?

  • 0 in reply to ReinoutNL

    Hi,

    Can you please post the tracert output and if the packets are not reaching Sophos Firewall then they are getting dropped. 

    Thanks

  • 0 in reply to sachingurung

    Hi,

     

    First of all sorry for being so slow in my responses but i'm flooded with work and this is my home issue :)

     

    Like i said tracert just breaks. At that moment the Sophos is unresponsive. I can open te web interface of the Sophos XG i just can't get any traffic throught to the public interface. I've also seen traffic being redirect to rule 0 in the firewall (while it should match with rule 1 for my internet traffic)

     

    Ping's, tracert work one second another they don't it's that simple.

    (i've even tried reinstalling and stuff switching hardware (nic's)

    Regards,

     

    Reinout

  • 0 in reply to ReinoutNL

    Some context in the log the same traffic is getting the correct firewall rule and when everything stops working i see the identical traffic hitting firewall rule 0....

  • 0 in reply to ReinoutNL

    Hi,

    I wonder if you see anything in the drop-packet-capture logs when the issue develops. Do you see any dropped/error packets on the interfaces? Take SSH to the XG and go to option 3. Device Console and execute the following command:

    show network interfaces

    Show me the output, if there are dropped/error packets then that could be the possible cause. Refer #4 in my troubleshooting guide.

    Cheers-