Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 67 replies
  • Answers 6 answers
  • Subscribers 42 subscribers
  • Views 47130 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect vs DNS

Peter-Paul Gras

So i finished all the instructions as posted on page https://community.sophos.com/kb/en-us/133109

Downloaded the client and exported the configuration. Set up the client and finally made a connection.

So far so good. Can ping hosts on the internal network by ip adress, however i can't seem to reach hosts by their name.

I did enter the ip of the DNS server but somehow hosts aren't being resolved.

 

Any thoughts or pointers on this.

 

Thnx, Peter-Paul



This thread was automatically locked due to age.
Parents
  • +1

    We have a similar problem with some of our laptops. 

    Looking at the Connect Client status ( GUI) , this shows the correct IPV4 addresses for DNS

    Checking the details in a DOS / PS terminal shows 3 default IPV6 addresses for DNS.

    I have Sophserve ticket  9015034  open for this.

    "A number of our laptops (a mixture of new build and some that used to have SSL VPN) with the Sophos Connect Client V1.3  are not having the DNS settings for the TAP adapter set correctly.

    I have noticed that the DNS is being set to use 3 default IPV6 addresses and that the TAP adapter is being labelled as Sophos TAP adapter #2   
    I'll upload some screenshots which will assist
     
    comparing the connect client status (GUI)  , that shows the correct IPV4 address for DNS but those details aren't shown when displaying details of the network adaptor in a DOS or PS terminal.
    Have uploaded pics showing good & bad DNS. The good DNS was on one users WIn 7 laptop, the bad DNS was on her new WIn 10 laptop.  The other screenshots show TAP adapter #2  ( adapter #1 isn't present on the system - even showing hidden adapters)  and the IPV6 DNS"
     
  • 0 in reply to David Bradbury

    Hello David,

     

    Please generate technical support report from the client after the connection is established on the problem laptop. Then PM me the report and I will take a look at this issue. Also are you terminating to XG firewall or the UTM? 

     

    The TAP adapter used by Sophos Connect is "Sophos TAP adapter" and that is correct. This is to differentiate it from the TAP adapter used by SSL VPN.

     

    Thank you,
    Ramesh

  • 0 in reply to rmk_2018

    We've done some additional work on this.

    If TAP adapter IPV6 is switched off, the connect client doesn't connect  (failure to add route  ,(virtual IP range) prevented phase 2 completion

    switching TAP adapter IP V6 back on and manually entering IPv4 DNS entries, the connection establishes ok and we can browse internal resources.

     

    We have discovered that ONLY affected laptops are all running Windows 10 V1903.  

    We have just upgraded a laptop to V1903 and the connect client V1.3 ( which was working ok ) has just failed with exactly the same symptoms.

     

    Connecting to XG running V17.5 MR3  ( at the moment, due to u/g to MR7 shortly)

  • 0 in reply to David Bradbury

    Hello David,

     

    We did the upgrade to v1809 to v1903 and did not encounter any problems. Can you please PM me the technical support report from the Client after the connection is enabled and connected. 

     

    Thank you,

    Ramesh

  • 0 in reply to rmk_2018

    Hello David,

     

    Please send me a Technical support report from the Client that is not working. You can PM me the report. Also if you can provide some additional data on how many computers are having this problem. What were the steps they performed that resulted in this error condition. We have tried Win10 with this version and not having similar problem. It works for us on multiple machines we have upgraded so far.

     

    Thank you,

    Ramesh

  • 0 in reply to rmk_2018

    Hello David,

     

    Not heard back from you on this. I need a Technical support report from the machine that has this problem. Create a technical support report after you establish the tunnel. You can PM the report to me. How many systems are having this problem?

     

    Thank you,

    Ramesh

  • 0 in reply to David Bradbury

    Hello David,

     

    Not heard back from you on this. I need a Technical support report from the machine that has this problem. Create a technical support report after you establish the tunnel. You can PM the report to me. How many systems are having this problem?

     

    Thank you,

    Ramesh

Reply
  • 0 in reply to David Bradbury

    Hello David,

     

    Not heard back from you on this. I need a Technical support report from the machine that has this problem. Create a technical support report after you establish the tunnel. You can PM the report to me. How many systems are having this problem?

     

    Thank you,

    Ramesh

Children
  • +1 in reply to rmk_2018

    We've done more research on this and have found that the TAP adapter name is the cause of the problem. On the PCs that have the problem, the TAP adapter is being shown with friendly name " Sophos TAP Adapter #2"

    If the #2 is removed ( registry entry ) , the IPV4 DNS details will populate correctly when the connection is established.

    We've now raised this as a bug in the Connect Client installer on the Sophserv ticket that we already have open with Sophos team.

     

    This would explain why when the connection established, although the Connect Client had received and was showing the correct DNS address, it was unable to parse the value to the TAP adapter as the software is only expecting to see "Sophos TAP Adapter" - not "Sophos TAP adapter #2"

     

     

  • 0 in reply to David Bradbury

    Hello David,

     

    I would need your help to determine when/how the Sophos TAP adapter name got changed to Sophos TAP adpter #2. It seems to me like this happened during the Windows 10 upgrade from (1809) to (1903). Please if you can help with this it would help us to narrow down the problem.

     

    This is the test. On a computer that is currently working with Windows10 (1809) and SC 1.2, take a TSR before the Windows upgrade. Then do the WIndows upgrade to 1903. Have them take a TSR after the Windows upgrade. Only after they take the second TSR (i.e after windows upgrade to 1903),  next step is to upgrade to SC 1.3 but this time do the upgrade from the command line to generate the install logs. Here is the command line. msiexec /i sophosconnect.msi /l*v sophosconnectupgrade.log.
     
    Send me a TSR before the WIndows Upgrade, a TSR after the windows upgrade and the upgrade install logs. You can PM me those 3 files and I will take a look at this asap.
     
    Thank you,
    Ramesh
  • 0 in reply to rmk_2018

    Hi. The screensnips are from different laptops ( sorry if that wasn't clear) . The old Windows 7 laptop was only shown to highlight the difference between the  working  one and the broken one.

    The TAP adapter gets the #2 when it is installed by the Connect Client installer.  We've seen this on laptops that are brand new and have been upgraded to 1903 before we installed Connect Client.

    I'll try and do the TSR at some point in the next few days.

     

  • 0 in reply to David Bradbury

    Hello David,

     

    This is a good information that will help us. "  We've seen this on laptops that are brand new and have been upgraded to 1903 before we installed Connect Client."

     

    When you have brand new computer that is upgrade to 1903, please run this command from the DOS window. ipconfig /all >> beforeinterfacelist.txt

     

    After you run that command, install sophosconnect from the command list with this command: msiexec /i sophosconnect.msi /l*v scinstall.log

     

    After the Sophos Connect install run this command again. ipconfig /all >> afterinterfacelist.txt

     

    Please send me the 3 files.

     

    Thank you,

    Ramesh

  • 0 in reply to David Bradbury

    I just encountered this same issue on a Windows 10 Home desktop with update 2004 from May 2020.  As you can see it is a year since this issue was first reported in this forum and the problem still exists.  I applied for the latest version of the Sophos Connect client version 2.0 from the EAP site and the bug with it creating the Sophos TAP Adapter #2 still happens.  Even though there is no other adapter by that name on the machine, perhaps it is hidden, but I can't find it.  Going into the registry and renaming and then restarting worked for me perfectly and I very much appreciate David Bradbury for finding a work around.  I am requesting again that Sophos work on a fix.  Worst case it seems like the installer should be able to detect that it couldn't name the TAP adapter what it wants and to use the alternate name when it tries to update the DNS servers.

    This issue happened on one out of about 15 machines and this one is the users personal computer otherwise I would offer to let Sophos remote onto it to try and figure out the problem. 

  • 0 in reply to Matt Nielsen

    Hello Matt,

    I am not sure which issue are you referring to. Are you having problems with not able to ping by hostname or the issue of an additional Sophos TAP adapter with #x, where x is a number. How are you installing the Sophos Connect Client? Yes we have looking into the issue by performing both clean install and upgrade going from version to version and I do not see the problem. If can help with how it is possible to reproduce the problem we will surely look into asap.

    Ramesh

  • 0 in reply to rmk_2018

    The issue of the VPN connection not getting the DNS server entries from the server configuration,  directly related to the install not naming the TAP adapter correctly.  If the DNS servers are not set then you cannot ping host names on the VPN.  These two issues of the adapter name being wrong the DNS not being set and thus not allowing you to ping a host name are related to each other.  

    I'm installing the .MSI as normal just a a user would install it manually.  I wish I had access to the users home machine to help you replicated it, but I have given it back after solving the problem by changing the registry so that they can work.  

    I would think a very simple fix would be for the installer to just look in the registry to see what the friendly name of the adapter that was just installed is, if it is not "Sophos TAP Adapter", then it can either rename it at that time, that of course runs the risk of failure, if for some reason there is another one, in my case there wasn't, or simply change the client to update the named adapter by whatever was created.  Meaning it could find out the name that didn't match the default and store that in a registry setting and then use that as the reference for the update to the TAP adapter rather than just assuming it is named "Sophos TAP Adapter".  

    This is all well documented in this thread by David Bradbury