Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 5096 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange behavior when using sophos connect vpn.

StefanS

hi there,
of 80 users who use "Sophos connect", we see behavior in about 10 which we currently do not understand.

there are two locations, locations A and B, both locations are connected by an IPSec tunnel, V17.5 MR11.
Most users connect to location "B" with the "Sophos connect". The Exchange Server is located in location "A".

the following behavior can now be seen in the 10 affected users.
if they have connected to location "B", no TSL / SSL to Exchange is possible, neither Outlook nor OWA website works (ping works).
if these affected users use the SSL VPN client on the same FW (same fw rules), everything works again.
there is also no problem if the affected user connects to location "A" in which the Exchange Server is located.

The question is, why do these 10 users have problems with TLS / SSL when they use "Sophos connect" and are connected to location "B"?
A ticket has been open here for 4 weeks, but without a solution.

Does anyone know of such problems, thanks for any help.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to KingChris

    Hi  

    Thanks for the tip, but i honestly cannot imagine that this should be a NAT problem.
    However, this does not explain why "generally" the Remote SSL VPN has no problems and why only about 10% of users are affected by "Sophos Connect Client".
    We hadn't seen any problems with the Remote VPN SSL before rolling out "Sophos Connect Client".
    Both VPN clients use the same FW rule, but with different VPN client networks.
    A Sophos engineer is currently trying to understand what problems this behavior is causing.

    Regards
    StefanS

  • 0 in reply to StefanS

    Hi  

    Could you share your Support Case number with us to follow up with?

    Thanks!

  • 0 in reply to StefanS

    Hi  

    The reason why it works fine at Site A is because the resources needing access to are local to that XG where the Sophos Connect terminates.  The reason why it does NOT work at Site B is because the resource needing access is at Site A behind an IPsec tunnel.  IPsec tunnels that are in pre-v18 are policy based IPsec tunnels.  The XG binds to the ipsec0 interface which has an IP address in the 169.254.x.x range....which is non-routable.  This is the reason why you need a NAT for the system routed/generated traffic.

    Thanks!

  • 0 in reply to FloSupport

    Hi  
    Sure that's not a problem, here is the Case ID: #9777535

    Regards
    StefanS

  • 0 in reply to KingChris

    Hi  
    Even if it were a NAT problem, how do you explain that only ca. 10% of location B is affected and not all "Sophos Connect Clients" on this location ?

    Regards
    StefanS

  • 0 in reply to StefanS

    Hi  

    Thank you for providing the service request number. Please accept our sincerest apologies for the delay.

    I have informed the team to contact you at earliest and provide further assistance on the reported case.

  • 0 in reply to Keyur

     and  

    We got the info from the L2, that a bug report for the ticket was created.
    The fix is said to be in 18.0 MR2, but no statements about v17.x. !
    We also want to have this fix for v17.x because we don't currently want to upgrade to v18.
    Can you please verify whether this statement is correct, or whether there will also be a fix for v17 and if so, when.

    Regards
    StefanS

  • +1 in reply to StefanS

    Hi  

    The shared tracking ID in the service request number (NC-58295), the fix will be available in SFOS v18 MR2, I have added your comments in the case ID and ask them to contact you further.

  • 0 in reply to Keyur

     and  

    i ask for clarification again.
    According to a support engineer (the reason is not given), Sophos does not want to offer a FIX for v17, only v18 should get this FIX.
    From the customer's point of view, this is a show stopper to extend the subscription.
    We paid for the v17, the bug was proven in v17 and there should also be a bugfix for the v17, especially since v17 has not yet reached an EOL.

    regards

    StefanS

  • 0 in reply to StefanS

    Why do you want to stay on V17 for the long run? 

    As Sophos is moving towards the new version, likely many people will adapt to the new version. 

    Staying on a old version with less features seems to be unlikely? 

     

    Just wondering.