Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Subscribers 32 subscribers
  • Views 29950 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After XG310 Install Windows 7 / 10 shows "No Internet Access" but internet works fine

AllanD

This past weekend I moved from a TMG 2010 to XG310.  Everything is running correctly but all the windows machines are reporting "No internet access" with a yellow exclamation mark over their network connection status icons.  Sophos is setup with "Sophos Transparent Authentication Suite" turned on and a collector on each of our Windows AD domain controllers.

 

The couple posts I have found with the same issue are old and didn't have a real resolution.  Things online said to turn off the part of windows that checks this but then the clients will always show they have internet access even when they don't which isn't a solution either

 

Anyone know what can be done for this or what can be added to the firewall rules to allow whatever check Microsoft does through successfully?

 

-Allan



This thread was automatically locked due to age.
Parents
  • 0

    Hi Allan, since this is not a common problem, I would say double check your DNS and web access settings. Here is an old technet article that I found but the mechanism that checks for connectivity is still the same in windows 7/8/10. Let us know if this works for you.

  • 0 in reply to Billybob

    I mentioned it seems common since I've seen other Sophos users with the same issue (I.e.: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80595/no-internet-access-notification , https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/44586/windows-7---no-internet-access-icon-if-http-proxy-enabled-in-transparent-mode , etc) when I was troubleshooting my issue.  But I can't figure it out.

     

    Everything "works" fine.  Internet access is fine, DNS works, etc.  I have a standard web access rule allowing HTTP and HTTPS with the "Default Workplace Policy" applied. 

     

    I once did some consulting work at a place that had a Astaro v6 with transparent authentication that had the exact same issue (Windows XP back then) and I couldn't figure it out but since it didn't seem to break anything I told them to ignore it.

     

    Does no one else have this issue or is no one using the transparent suite for authentication?

     

    -Allan

  • 0 in reply to AllanD

    Allan,

    I experienced this exact same issue. It is due to STAS and how the firewall drops traffic while trying to figure out who the user is. I has to stop using STAS until Sophos comes up with a better implementation. I have 2 XG230's running in a cluster with multiple RED sites. The RED sites experienced the problem more than the users directly behind the XG. Both Domain Controllers are behind the XG and all RED sites use those. The XG takes way too long to identify the user and thus cause connectivity issues and show the yellow exclamation point as you saw.

    Follow this article below and you can change some settings. The minimum recommended time is 40 seconds and that still caused issues for me but give it a try.

    https://community.sophos.com/kb/en-us/125468

    Thanks,

    Mike

  • 0 in reply to MichaelBolton

    I wish the problem was more consistent also.  Like yesterday my own computer showed no internet access for about three hours.  Today it did it for 45 minutes.  I realize that's partially a Microsoft issue but it also didn't happen before we put in the Sophos.

     

    I did the "echo 28800 > /proc/sys/ipset/ipset_guest_flush_timeout" command to increase the timeout but I couldn't figure out the "system auth cta unauth-traffic drop-period" command and I don't want to randomly try things and break it.  You know the exact syntax to lower it?

     

    We don't restrict anyone based on their user, we have a DMZ/customer wireless which is completely open access (bandwidth limited) and our regular user access is pretty wide open also.  Is there any reason I can't set this down to 1?

     

    -Allan

  • +1 in reply to AllanD

    We don't restrict access by user either. We tried to use it so we could get more granular reporting based on the user and not the IP but even for use, setting it all the way down to 1 still cause a small issues. Turning it down to 1 does not give the firewall enough time to learn who the user is so it almost as if you don't have the feature enabled.

    For your DMZ, I would exclude that subnet in the STAS application itself. That seems to work most of the time but it's not 100%. I was still seeing some dropped packets from our DMZ WIFI network saying identity was the cause.

    system auth cta unauth-traffic drop-period 40 must be done from the device console which is option 4 on the main menu. The other command is done from the advanced shell of the firewall.

     

     

    Hope this helps.

    Mike

  • 0 in reply to MichaelBolton

    Yes it does, thank-you.  Was trying to do the drop-period command from the advanced shell and it of course wasn't working. 

     

    I'll try it with 30 and see if its better.  Although anything would be better at this point to stop users from calling and saying they have no internet access then asking them if they can get to google and when they say yes telling them they have internet access and trying to explain whats going on over and over.

     

    -Allan

  • 0 in reply to AllanD

    I feel your pain. That article wasn't out when I had the problem and support "couldn't find anything wrong" until I started doing drop packet captures and showed them the firewall was at fault. We only want to use STAS to help identify the users. I wish they would come up with a way to not block users like this when the firewall cannot identify them. Even at 30 seconds, that is awhile to wait when you have someone trying to access something right then.

    Mike

Reply
  • 0 in reply to AllanD

    I feel your pain. That article wasn't out when I had the problem and support "couldn't find anything wrong" until I started doing drop packet captures and showed them the firewall was at fault. We only want to use STAS to help identify the users. I wish they would come up with a way to not block users like this when the firewall cannot identify them. Even at 30 seconds, that is awhile to wait when you have someone trying to access something right then.

    Mike

Children
No Data