Sophos Connect and LAN Access

Do you have a simple network - which I would define as a network where the default route (eventually) goes via your Sophos firewall? If not, you may find that your internal router doesn't know where traffic to your VPN subnet should be routed. In that case you'll need to configure your internal router to send the VPN subnet to the Sophos internal interface (the "next hop"). You or someone else might have done this years ago for L2TP.

Hey David

Good points however my XG is the Gateway and no Routers used.

I would expect not to connect if it was that as well where I connect and can browse the XG on the LAN interface but thats all :-(

Hello M8ey 

Is the screenshot taken after connected to SC? It does seem that your local gateway has the higher priority and the network for gateway 10.3.24.50 does not have 'any' route added. 

Sure is - Active SC Connection and then ran the check.

Hello M8ey,

The best thing to do a packet capture on the firewall. From Monitor & Analyze->Diagnostics page setup a packet  capture. You can configure the host <IP> and start the capture. Then ping that host and see what you get. You should be able to see if the packet is dropped at the firewall or sent out the correct interface and if it getting a reply.

Please let us know

Ramesh

*** Update ***

So after many months of back and forth with Sophos Support they have worked out when I use Sophos Connect my default route is not being updated on the PC level.

So 0.0.0.0 is set to go via my local connection - not 0.0.0.0 - XG IP Address

So no traffic flows to the XG via VPN

They are investigating how / why this is happening. Even SC 1.3 same issue and on all PC's that its installed on not just mine.

Hello M8ey,

It is strange you are running into this problem. I am sure the problem is some configuration that is causing this issue and we just need to figure it out. Based on the route print it is looking good after the tunnel is established. Are you doing a Ping by IP address or Ping by Hostname or Ping by FQDN? 

The easiest thing to do after the tunnel is established, click on the Networks ICON on the Monitor connection page of Sophos Connect. You will see the counters for packets transmitted/received. Please let me know what you find and I will try to help you to get it working or at least why it is not working in your setup.

Ramesh

M8ey,

Have you had any luck resolving this?  I'm facing the same exact issue on a Mac.  SC configuration is set for tunnel all and the 0.0.0.0 route is not updating on the Mac after they are connected.

I may have the same issue on a PC, just haven't been able to get connected to the user when they are home to validate.  All running latest SC v1.3.

Thanks,

John

Hello,

The other way to quickly see if the packets are being received on the XG firewall is to configure the Packet Capture on the firewall WebUI. You configure the host you are trying to get to, and have a continuous traffic from the Client side. Based on the route table you have attached it looks correct. Please send me the technical support report from the Sophos Connect after the tunnel is established.

Ramesh

Basically Support had no clue at all why it was doing it.

I did get mine working but not by any skill. I removed the SC Client and Admin tool from my PC completely and removed any files and registry settings.

I updated my XG to MR-7 then downloaded the SC Client again and the cert. Reloaded it on the PC and for no reason at all it started working again.

Its a bit unstable though. I have dropped many users back to L2TP for now.

Thank you very much for the quick feedback.

It is strange why it did not work and then mysteriously started working again. Now that it is working, you can see the routing table and it will look the same for the default route.

Also I would like to know additional details about this "Its a bit unstable though. I have dropped many users back to L2TP for now"

Please let me know what part is unstable? Please provide with the TSR which you can generate from the About page.

Regards,
Ramesh

When it was not working it simply didn't add the 0.0.0.0 route so traffic flowed out of the Local Connection rather than all up the VPN.

The instability is most likely more user based - some were hit an miss with getting a connection. 

I had one user who couldnt use SC via his iPhone connection but L2TP worked. Strange.

I prefer SC over L2TP and easy to push the client out to users via PDQ.

Cheers

When it was not working it simply didn't add the 0.0.0.0 route so traffic flowed out of the Local Connection rather than all up the VPN.

The instability is most likely more user based - some were hit an miss with getting a connection. 

I had one user who couldnt use SC via his iPhone connection but L2TP worked. Strange.

I prefer SC over L2TP and easy to push the client out to users via PDQ.

Cheers