Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 8817 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CISCO VPN not working after MR8?

GaryChancellor

I upgraded one of my firewalls this weekend to 17.0-MR8. Upgrade went fine. However, now the Cisco VPN Client that we use for remote MacOS and Apple iOS users is not working. The firewall rule is the same before and after. All other settings still look the same. We can connect and authenticate, but nothing is reachable via VPN. Authentication Log shows login. SYSTEM log shows connections and disconnections. However, Firewall log does not show anything even though firewall rule has logging turned on. I do have a few IPS log entries, but nothing that seems relevant. 



This thread was automatically locked due to age.
  • 0

    From the client device, I cannot ping or connect to any server on the VPN. It reports that 0 bytes have been transferred leading me to believe that it is a firewall rule issue - but that is still in place and should still work.

  • 0 in reply to GaryChancellor

    Hi Gary,

    Are you able to observe the firewall receiving any of this traffic (packet capture via GUI or TCPdump from CLI)?

    For troubleshooting purposes, have you tried re-installing the client application or deleting and recreating your firewall rules?

  • 0

    I also had this issue recently after migrating to V17. The other issue we had was that the VPN connection would not respond to 2nd and subsequent connection attempts after the initial VPN connection was disconnected, until the Charon service was restarted on the XG.

    I had originally logged a request regarding the non-passing of user identified traffic but found the VPN connection issue during our troubleshooting. Sophos were diagnosing and patch-writing for what seemed to be weeks, but BOTH the connection and traffic issues have been resolved the issue for us over the weekend with the installation of this patch.

    My Sophos Support request number was 8048083. Perhaps you can refer them to this for the patch (if it is applicable to you).

  • 0 in reply to FloSupport

    Flo,

    From packet capture I can see packets with a Status of "Violation", the Reason of "Firewall" and the Rule ID of 0.

     

    Which doesn't totally make sense to me. All I did was upgrade to MR8 and now it is ignoring my FW rule it seems.

     

    I have rebuilt the firewall rule with:

    ------------------------------------------------------

    Rule

    Accept any service going to "LAN" or " WAN" zones, when in "VPN" zone, and coming from "#RemoteIuser" network, scan for malware and log connections, then apply IPS policies

    Source & Schedule
    VPN
    Source Networks and Devices : #RemoteIuser
    During Scheduled Time : All the Time
    Destination & Services 
    LAN,WAN
    Destination Networks : Any
    Services : Any

    ------------------------------------------------------

     

    I have re-added the users to the Allowed User list for CiscoVPN Client.

    I have gone to each User and ensured the CISCO VPN Client is Enabled.

    One thing to note - I am using AD user accounts which I am beginning to suspect is the culprit. Otherwise, I can't really explain the FW rule violation. I did try to add "Match known users" with the list of users set up in the CISCO VPN list, but it didn't make any difference.

    Regards,

    Gary

     

  • 0 in reply to GaryChancellor

    Hey Gary,

    Thanks for providing more detail and context. Would it be possible to please enable the support access tunnel to your firewall (and PM me with the ID) so I can investigate your configuration further?

    Thanks!

  • 0

    Hi,

     

    I have exactly the same problem after upgrading from 17.0.6 MR-6 to 17.1.1 MR-1.

    Is there already a solution to this problem?

     

    Regards

    Mauro

  • 0 in reply to Shoplifter

    Hey  

    Gary's issue was resolved after re-creating the IP host object utilized in the firewall rule to allow this traffic.

    Would it be possible to attempt the same on your configuration? Please let me know if you run into any issues.

    Regards,

  • 0 in reply to FloSupport
    FloSupport said:

    Hey  

    Gary's issue was resolved after re-creating the IP host object utilized in the firewall rule to allow this traffic.

    Would it be possible to attempt the same on your configuration? Please let me know if you run into any issues.

    Regards, 




    Hi Flo

    Thanks for the tip and sorry for my late reply.

    Seems like the predefined System Host #Cisco_VPN is buggy.

    After replacing     #Cisco_VPN with a self-defined IP Range Host everything works fine again.

    Regards