This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web proxy - 502 & 504 timeouts

Hi everybody, little newbie to the forum here!

After deciding to leave Forefront TMG behind due to its end-of-life, I decided to change the home gateway to a new product. Sophos UTM Home has been amazing so far... except for the web proxy. Some websites take EXTREMELY long times to load or time out completely and the UTM throws an error page which looks inconveniently similar to a 'Content Blocked' page.

We're getting a lot of '502' and '504' errors, which are not website dependent, they are random. Like, you could refresh the page and it'll load instantly.

2014:04:23-04:11:32 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="85.115.22.9" user="[authenticated user]" statuscode="502" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2627" request="0x17375760" url="www.astaro.org/.../Business Forums" application="http"

The 504 timeouts are much more common.

2014:04:23-04:06:20 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x9a6bdc0" url="geo2.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="105" dnstime="5" cattime="51896" avscantime="0" fullreqtime="60576692" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google" 
2014:04:23-04:06:21 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x17374000" url="geo2.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="121" dnstime="5" cattime="51195" avscantime="0" fullreqtime="60348476" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google" 
2014:04:23-04:06:24 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x17c72aa0" url="geo3.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="110" dnstime="6" cattime="51484" avscantime="0" fullreqtime="60884620" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google" 
2014:04:23-04:06:24 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2783" request="0x18086220" url="geo3.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="127" dnstime="8" cattime="50644" avscantime="0" fullreqtime="70746985" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google" 
2014:04:23-04:06:26 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x171f0220" url="geo3.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="183" dnstime="8" cattime="50721" avscantime="0" fullreqtime="70454679" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google" 
2014:04:23-04:06:26 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="173.194.34.74" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x1781a660" url="geo2.ggpht.com/[censored]" exceptions="" error="Connection to server timed out" authtime="189" dnstime="8" cattime="51206" avscantime="0" fullreqtime="70337461" device="0" auth="2" category="177" reputation="trusted" categoryname="Content Server" application="google"

This happened when using Google Streetview which resulted in a load of images which make up my street missing.

Image searches also exhibit the problem.

2014:04:23-04:25:14 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2784" request="0x171f0aa0" url="ts1.mm.bing.net/th
2014:04:23-04:25:14 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2791" request="0x17284ee0" url="ts2.mm.bing.net/th
2014:04:23-04:25:14 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2887" request="0x17375ba0" url="ts2.mm.bing.net/th
2014:04:23-04:25:15 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2795" request="0x17c73540" url="ts1.mm.bing.net/th
2014:04:23-04:25:15 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.60.21.2" dstip="23.62.53.56" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2793" request="0x17c73ba0" url="ts1.mm.bing.net/th

However, if I accessed the above links, the image shows us instantly.

Hardware
- The computer this is running on has a 3.4Ghz AMD Phenom II quad core CPU, 8GB RAM, 3 NICs (1x Realtek crap - not used, 1x Intel Pro 1000 PT dual port NIC)

- This UTM box is running as a VM guest using VMware Workstation 10.0.2

- Eth0 is bridged to Realtek adapter (not connected), Eth1 is bridged to port 1 of the Intel Pro 1000 PT and used for the Internal network and Eth2 is bridged to port 2 for WAN.

- UTM version is 9.201-23

- All virtual adapter types are e1000

Network
- BT Infinity powers our connection providing about 73Mb-76Mb download and 16Mb-19Mb upload. Speed is NOT the issue here, just the timeouts are.

Internet [VDSL modem]
   |
Public IP address
Cisco RV180 router handles PPPoE and NAT
192.168.1.254
   |
192.168.1.5
Sophos UTM
10.60.21.251
   |
10.60.21.0
Internal network

- Unfortunately, due to the RV180's built in VPN server, I cannot bridge this router and let the UTM handle PPPoE/NAT because I need 24/7 access to this VPN even if the Sophos UTM VM is turned off.

- A static route is configured on the RV180 to route traffic back to the UTM.

- NAT (Masquerading [Internal -> External]) is disabled (I think this is how to disable NAT, but I'm not sure. Did I not turn NAT off properly?) on Sophos UTM to avoid double-NAT but I have tried enabling it which did not solve the problem.

- DNS is provided by OpenDNS and the forwarder is set to use the OpenDNS servers IP.

- No networks are allowed to use the the system as a DNS resolver because we have an Active Directory server which handles Internal DNS requests.

- The web proxy operates in standard mode and authentication is done by Active Directory.

Usual suspects
- Nothing related to these issues seems to be blocked by the firewall. Some broadcasts and SYN/ACK replies are being blocked but I doubt these are related to the problem.

- IPS is not blocking anything.

- Advanced Threat Protection also is not blocking anything.

- Application Control is enabled but ONLY for Facebook Apps and Google+

Did I miss anything? Please do let me know.

I'm a bit stumped. I've searched high and low on this forum looking for a solution for users with similar problems. However, these users had the problem on FIXED URLs and would happen every time whereas my problem is on random URLs. Anybody knows anything about this kind of problem, please let me know.

Sorry for a long first post, I know, but I am trying to make my setup as clear as possible.

EDIT
Got this while posting this thread [8-)]

2014:04:23-05:01:42 UTM httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="10.60.21.2" dstip="85.115.22.9" user="[authenticated user]" statuscode="504" cached="0" profile="REF_HttProInternal (Internal)" filteraction="REF_HttCffStandUsersFilte (Standard Users filter policy)" size="2680" request="0x171f1dc0" url="www.astaro.org/newthread.php

This thread was automatically locked due to age.

0 William Warren over 11 years ago

workstation..not unless you gave it a dedicated nic. so put a second nic into the box and use it ONLY for the wan connection of your utm vm..then you could run directly to your modem and let the utm do pppoe.
Cancel
Vote Up 0 Vote Down

Cancel
0 Someone7272 over 11 years ago in reply to William Warren

workstation..not unless you gave it a dedicated nic. so put a second nic into the box and use it ONLY for the wan connection of your utm vm..then you could run directly to your modem and let the utm do pppoe.

Yes, the server has 3 NICs, 1 Realtek (not used) and an Intel twin Gigabit. I'm thinking I can use one of the Intel ports and pass it to the UTM using that VMware tutorial? In theory that would work, and the UTM will be able to do PPPoE if I set it up like this? The other Intel port will be used for the internal network.
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago

yeppers..AND you share the internal nic with another interface of the utm so it can "see" both nics.

the easier thing to do is jsut laod up either vmware direcrtly onto the host mahcine or use server 2008 with the hyper-v role installed and then run two vms..one for utm and one for a windows server vm to serve your serving needs.
Cancel
Vote Up 0 Vote Down

Cancel
0 Someone7272 over 11 years ago in reply to William Warren

Quick update, replaced that Cisco router with a TP-Link router which solved the problems and no double-NAT either! The Cisco router broke in the end, but the TP-Link will do until I can re-wire the place in order to connect the UTM directly to the PPPoE line. Cheers for all the help guys!
Cancel
Vote Up 0 Vote Down

Cancel
0 RFCat_vk_01 over 11 years ago in reply to Someone7272

You are going to need the tp-link modem box in bridge mode because the UTMs only do PPPoE not the modem function.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Someone7272 over 11 years ago in reply to RFCat_vk_01

You are going to need the tp-link modem box in bridge mode because the UTMs only do PPPoE not the modem function.

Ian

Not necessarily. Basically currently the TP-Link box is NOT a modem, only a NAT gateway or 'VPN router'. It's currently handling NAT and PPPoE, NAT is disabled on the UTM and static routes are configured on the TP-Link box to avoid NAT until I can rewire the room in order to connect the UTM VM box directly to the modem. It just works so all happy here, thanks for the suggestion though.
Cancel
Vote Up 0 Vote Down

Cancel
0 kau over 11 years ago

Hello ,

i am using sophos 9.107-33 asg 525.

Getting below firewall logs.

2014:05:26-15:15:27 FW_INTRA_HO-1 httpproxy[20643]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.0.32.155" dstip="10.96.2.150" user="" statuscode="504" cached="0" profile="REF_HttProIpgatLevelAcces (IP_Gateway Level Access)" filteraction="REF_YoDoEVRfrL (INT_00_Gateway Level Access)" size="2589" request="0x1e391908" url="10.96.2.150/.../" exceptions="av,content,url,ssl,certcheck,certdate,mime,cache,fileextension" error="Connection to server timed out"
2014:05:26-15:16:28 FW_INTRA_HO-1 httpproxy[20643]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.0.32.155" dstip="10.96.2.150" user="" statuscode="504" cached="0" profile="REF_HttProIpgatLevelAcces (IP_Gateway Level Access)" filteraction="REF_YoDoEVRfrL (INT_00_Gateway Level Access)" size="0" request="0xf422680" url="10.96.2.150/.../A" category="9998" reputation="neutral" categoryname="Uncategorized"
2014:05:26-15:16:32 FW_INTRA_HO-1 httpproxy[20643]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.0.32.155" dstip="10.96.2.150" user="" statuscode="504" cached="0" profile="REF_HttProIpgatLevelAcces (IP_Gateway Level Access)" filteraction="REF_YoDoEVRfrL (INT_00_Gateway Level Access)" size="2589" request="0xf422980" url="10.96.2.150/.../" exceptions="av,content,url,ssl,certcheck,certdate,mime,cache,fileextension" error="Connection to server timed out"

Please suggest me .
Cancel
Vote Up 0 Vote Down

Cancel
0 gilipeled over 11 years ago

Hi,

According to your logs, you have a profile called FW_INTRA_HO-1 and it blocks the request from your 10.0.32.155.
Now please check this profile to see what you have configured and why it blocks this.

All my best,
Gilipeled
Cancel
Vote Up 0 Vote Down

Cancel
0 teched_01 over 11 years ago

I read "Connection to server timed out" as the significant indicator in the log and the "web request blocked" as poor wording in the log.

Is the response (or non-response) consistent from this server?
Does the server actually respond?
How long is it taking to respond?
Cancel
Vote Up 0 Vote Down

Cancel
0 gilipeled over 11 years ago

Hi ,

According to the log it does not look like the server respond.

All my best
Gilipeled
Cancel
Vote Up 0 Vote Down

Cancel