Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 67 replies
  • Answers 6 answers
  • Subscribers 42 subscribers
  • Views 47130 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect vs DNS

Peter-Paul Gras

So i finished all the instructions as posted on page https://community.sophos.com/kb/en-us/133109

Downloaded the client and exported the configuration. Set up the client and finally made a connection.

So far so good. Can ping hosts on the internal network by ip adress, however i can't seem to reach hosts by their name.

I did enter the ip of the DNS server but somehow hosts aren't being resolved.

 

Any thoughts or pointers on this.

 

Thnx, Peter-Paul



This thread was automatically locked due to age.
Parents
  • +1

    We have a similar problem with some of our laptops. 

    Looking at the Connect Client status ( GUI) , this shows the correct IPV4 addresses for DNS

    Checking the details in a DOS / PS terminal shows 3 default IPV6 addresses for DNS.

    I have Sophserve ticket  9015034  open for this.

    "A number of our laptops (a mixture of new build and some that used to have SSL VPN) with the Sophos Connect Client V1.3  are not having the DNS settings for the TAP adapter set correctly.

    I have noticed that the DNS is being set to use 3 default IPV6 addresses and that the TAP adapter is being labelled as Sophos TAP adapter #2   
    I'll upload some screenshots which will assist
     
    comparing the connect client status (GUI)  , that shows the correct IPV4 address for DNS but those details aren't shown when displaying details of the network adaptor in a DOS or PS terminal.
    Have uploaded pics showing good & bad DNS. The good DNS was on one users WIn 7 laptop, the bad DNS was on her new WIn 10 laptop.  The other screenshots show TAP adapter #2  ( adapter #1 isn't present on the system - even showing hidden adapters)  and the IPV6 DNS"
     
Reply
  • +1

    We have a similar problem with some of our laptops. 

    Looking at the Connect Client status ( GUI) , this shows the correct IPV4 addresses for DNS

    Checking the details in a DOS / PS terminal shows 3 default IPV6 addresses for DNS.

    I have Sophserve ticket  9015034  open for this.

    "A number of our laptops (a mixture of new build and some that used to have SSL VPN) with the Sophos Connect Client V1.3  are not having the DNS settings for the TAP adapter set correctly.

    I have noticed that the DNS is being set to use 3 default IPV6 addresses and that the TAP adapter is being labelled as Sophos TAP adapter #2   
    I'll upload some screenshots which will assist
     
    comparing the connect client status (GUI)  , that shows the correct IPV4 address for DNS but those details aren't shown when displaying details of the network adaptor in a DOS or PS terminal.
    Have uploaded pics showing good & bad DNS. The good DNS was on one users WIn 7 laptop, the bad DNS was on her new WIn 10 laptop.  The other screenshots show TAP adapter #2  ( adapter #1 isn't present on the system - even showing hidden adapters)  and the IPV6 DNS"
     
Children
  • 0 in reply to David Bradbury

    Hello David,

     

    Please generate technical support report from the client after the connection is established on the problem laptop. Then PM me the report and I will take a look at this issue. Also are you terminating to XG firewall or the UTM? 

     

    The TAP adapter used by Sophos Connect is "Sophos TAP adapter" and that is correct. This is to differentiate it from the TAP adapter used by SSL VPN.

     

    Thank you,
    Ramesh

  • 0 in reply to rmk_2018

    We've done some additional work on this.

    If TAP adapter IPV6 is switched off, the connect client doesn't connect  (failure to add route  ,(virtual IP range) prevented phase 2 completion

    switching TAP adapter IP V6 back on and manually entering IPv4 DNS entries, the connection establishes ok and we can browse internal resources.

     

    We have discovered that ONLY affected laptops are all running Windows 10 V1903.  

    We have just upgraded a laptop to V1903 and the connect client V1.3 ( which was working ok ) has just failed with exactly the same symptoms.

     

    Connecting to XG running V17.5 MR3  ( at the moment, due to u/g to MR7 shortly)

  • 0 in reply to David Bradbury

    Hello David,

     

    We did the upgrade to v1809 to v1903 and did not encounter any problems. Can you please PM me the technical support report from the Client after the connection is enabled and connected. 

     

    Thank you,

    Ramesh

  • 0 in reply to rmk_2018

    Hello David,

     

    Please send me a Technical support report from the Client that is not working. You can PM me the report. Also if you can provide some additional data on how many computers are having this problem. What were the steps they performed that resulted in this error condition. We have tried Win10 with this version and not having similar problem. It works for us on multiple machines we have upgraded so far.

     

    Thank you,

    Ramesh

  • 0 in reply to rmk_2018

    Hello David,

     

    Not heard back from you on this. I need a Technical support report from the machine that has this problem. Create a technical support report after you establish the tunnel. You can PM the report to me. How many systems are having this problem?

     

    Thank you,

    Ramesh

  • 0 in reply to David Bradbury

    Hello David,

     

    Not heard back from you on this. I need a Technical support report from the machine that has this problem. Create a technical support report after you establish the tunnel. You can PM the report to me. How many systems are having this problem?

     

    Thank you,

    Ramesh

  • +1 in reply to rmk_2018

    We've done more research on this and have found that the TAP adapter name is the cause of the problem. On the PCs that have the problem, the TAP adapter is being shown with friendly name " Sophos TAP Adapter #2"

    If the #2 is removed ( registry entry ) , the IPV4 DNS details will populate correctly when the connection is established.

    We've now raised this as a bug in the Connect Client installer on the Sophserv ticket that we already have open with Sophos team.

     

    This would explain why when the connection established, although the Connect Client had received and was showing the correct DNS address, it was unable to parse the value to the TAP adapter as the software is only expecting to see "Sophos TAP Adapter" - not "Sophos TAP adapter #2"

     

     

  • 0 in reply to David Bradbury

    Hello David,

     

    I would need your help to determine when/how the Sophos TAP adapter name got changed to Sophos TAP adpter #2. It seems to me like this happened during the Windows 10 upgrade from (1809) to (1903). Please if you can help with this it would help us to narrow down the problem.

     

    This is the test. On a computer that is currently working with Windows10 (1809) and SC 1.2, take a TSR before the Windows upgrade. Then do the WIndows upgrade to 1903. Have them take a TSR after the Windows upgrade. Only after they take the second TSR (i.e after windows upgrade to 1903),  next step is to upgrade to SC 1.3 but this time do the upgrade from the command line to generate the install logs. Here is the command line. msiexec /i sophosconnect.msi /l*v sophosconnectupgrade.log.
     
    Send me a TSR before the WIndows Upgrade, a TSR after the windows upgrade and the upgrade install logs. You can PM me those 3 files and I will take a look at this asap.
     
    Thank you,
    Ramesh
  • 0 in reply to rmk_2018

    Hi. The screensnips are from different laptops ( sorry if that wasn't clear) . The old Windows 7 laptop was only shown to highlight the difference between the  working  one and the broken one.

    The TAP adapter gets the #2 when it is installed by the Connect Client installer.  We've seen this on laptops that are brand new and have been upgraded to 1903 before we installed Connect Client.

    I'll try and do the TSR at some point in the next few days.

     

  • 0 in reply to David Bradbury

    Hello David,

     

    This is a good information that will help us. "  We've seen this on laptops that are brand new and have been upgraded to 1903 before we installed Connect Client."

     

    When you have brand new computer that is upgrade to 1903, please run this command from the DOS window. ipconfig /all >> beforeinterfacelist.txt

     

    After you run that command, install sophosconnect from the command list with this command: msiexec /i sophosconnect.msi /l*v scinstall.log

     

    After the Sophos Connect install run this command again. ipconfig /all >> afterinterfacelist.txt

     

    Please send me the 3 files.

     

    Thank you,

    Ramesh