After deciding to leave Forefront TMG behind due to its end-of-life, I decided to change the home gateway to a new product. Sophos UTM Home has been amazing so far... except for the web proxy. Some websites take EXTREMELY long times to load or time out completely and the UTM throws an error page which looks inconveniently similar to a 'Content Blocked' page.
We're getting a lot of '502' and '504' errors, which are not website dependent, they are random. Like, you could refresh the page and it'll load instantly.
2014:04:23-04:11:32 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="85.115.22.9" user="[authenticated user]" statuscode="502" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2627" request="0x17375760" url="www.astaro.org/.../Business Forums" application="http"
The 504 timeouts are much more common.
2014:04:23-04:06:20 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x9a6bdc0" url="geo2.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="105" dnstime="5" cattime="51896" avscantime="0" fullreqtime="60576692" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google"
2014:04:23-04:06:21 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x17374000" url="geo2.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="121" dnstime="5" cattime="51195" avscantime="0" fullreqtime="60348476" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google"
2014:04:23-04:06:24 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x17c72aa0" url="geo3.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="110" dnstime="6" cattime="51484" avscantime="0" fullreqtime="60884620" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google"
2014:04:23-04:06:24 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2783" request="0x18086220" url="geo3.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="127" dnstime="8" cattime="50644" avscantime="0" fullreqtime="70746985" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google"
2014:04:23-04:06:26 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x171f0220" url="geo3.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="183" dnstime="8" cattime="50721" avscantime="0" fullreqtime="70454679" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google"
2014:04:23-04:06:26 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x1781a660" url="geo2.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="189" dnstime="8" cattime="51206" avscantime="0" fullreqtime="70337461" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google"
This happened when using Google Streetview which resulted in a load of images which make up my street missing.
Image searches also exhibit the problem.
2014:04:23-04:25:14 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x171f0aa0" url="ts1.mm.bing.net/th
2014:04:23-04:25:14 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2791" request="0x17284ee0" url="ts2.mm.bing.net/th
2014:04:23-04:25:14 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2887" request="0x17375ba0" url="ts2.mm.bing.net/th
2014:04:23-04:25:15 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2795" request="0x17c73540" url="ts1.mm.bing.net/th
2014:04:23-04:25:15 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2793" request="0x17c73ba0" url="ts1.mm.bing.net/th
However, if I accessed the above links, the image shows us instantly.
Hardware
- The computer this is running on has a 3.4Ghz AMD Phenom II quad core CPU, 8GB RAM, 3 NICs (1x Realtek crap - not used, 1x Intel Pro 1000 PT dual port NIC)
- This UTM box is running as a VM guest using VMware Workstation 10.0.2
- Eth0 is bridged to Realtek adapter (not connected), Eth1 is bridged to port 1 of the Intel Pro 1000 PT and used for the Internal network and Eth2 is bridged to port 2 for WAN.
- UTM version is 9.201-23
- All virtual adapter types are e1000
Network
- BT Infinity powers our connection providing about 73Mb-76Mb download and 16Mb-19Mb upload. Speed is NOT the issue here, just the timeouts are.
Internet [VDSL modem]
|
Public IP address
Cisco RV180 router handles PPPoE and NAT
192.168.1.254
|
192.168.1.5
Sophos UTM
10.60.21.251
|
10.60.21.0
Internal network
- Unfortunately, due to the RV180's built in VPN server, I cannot bridge this router and let the UTM handle PPPoE/NAT because I need 24/7 access to this VPN even if the Sophos UTM VM is turned off.
- A static route is configured on the RV180 to route traffic back to the UTM.
- NAT (Masquerading [Internal -> External]) is disabled (I think this is how to disable NAT, but I'm not sure. Did I not turn NAT off properly?) on Sophos UTM to avoid double-NAT but I have tried enabling it which did not solve the problem.
- DNS is provided by OpenDNS and the forwarder is set to use the OpenDNS servers IP.
- No networks are allowed to use the the system as a DNS resolver because we have an Active Directory server which handles Internal DNS requests.
- The web proxy operates in standard mode and authentication is done by Active Directory.
Usual suspects
- Nothing related to these issues seems to be blocked by the firewall. Some broadcasts and SYN/ACK replies are being blocked but I doubt these are related to the problem.
- IPS is not blocking anything.
- Advanced Threat Protection also is not blocking anything.
- Application Control is enabled but ONLY for Facebook Apps and Google+
Did I miss anything? Please do let me know.
I'm a bit stumped. I've searched high and low on this forum looking for a solution for users with similar problems. However, these users had the problem on FIXED URLs and would happen every time whereas my problem is on random URLs. Anybody knows anything about this kind of problem, please let me know.
Sorry for a long first post, I know, but I am trying to make my setup as clear as possible.
EDIT
Got this while posting this thread [8-)]
2014:04:23-05:01:42 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="10.60.21.2" dstip="85.115.22.9" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2680" request="0x171f1dc0" url="www.astaro.org/newthread.php
This thread was automatically locked due to age.
