Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 5096 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange behavior when using sophos connect vpn.

StefanS

hi there,
of 80 users who use "Sophos connect", we see behavior in about 10 which we currently do not understand.

there are two locations, locations A and B, both locations are connected by an IPSec tunnel, V17.5 MR11.
Most users connect to location "B" with the "Sophos connect". The Exchange Server is located in location "A".

the following behavior can now be seen in the 10 affected users.
if they have connected to location "B", no TSL / SSL to Exchange is possible, neither Outlook nor OWA website works (ping works).
if these affected users use the SSL VPN client on the same FW (same fw rules), everything works again.
there is also no problem if the affected user connects to location "A" in which the Exchange Server is located.

The question is, why do these 10 users have problems with TLS / SSL when they use "Sophos connect" and are connected to location "B"?
A ticket has been open here for 4 weeks, but without a solution.

Does anyone know of such problems, thanks for any help.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    It sounds like you will need a system NAT'ted IP on Site B XG.

    Please follow below KB article:

    https://community.sophos.com/kb/en-us/122999

    Let us know how it goes.  

    Thanks!

  • 0 in reply to KingChris

    Hi  

    Thanks for the tip, but i honestly cannot imagine that this should be a NAT problem.
    However, this does not explain why "generally" the Remote SSL VPN has no problems and why only about 10% of users are affected by "Sophos Connect Client".
    We hadn't seen any problems with the Remote VPN SSL before rolling out "Sophos Connect Client".
    Both VPN clients use the same FW rule, but with different VPN client networks.
    A Sophos engineer is currently trying to understand what problems this behavior is causing.

    Regards
    StefanS

  • 0 in reply to StefanS

    Hi  

    Could you share your Support Case number with us to follow up with?

    Thanks!

  • 0 in reply to StefanS

    Hi  

    The reason why it works fine at Site A is because the resources needing access to are local to that XG where the Sophos Connect terminates.  The reason why it does NOT work at Site B is because the resource needing access is at Site A behind an IPsec tunnel.  IPsec tunnels that are in pre-v18 are policy based IPsec tunnels.  The XG binds to the ipsec0 interface which has an IP address in the 169.254.x.x range....which is non-routable.  This is the reason why you need a NAT for the system routed/generated traffic.

    Thanks!

Reply
  • 0 in reply to StefanS

    Hi  

    The reason why it works fine at Site A is because the resources needing access to are local to that XG where the Sophos Connect terminates.  The reason why it does NOT work at Site B is because the resource needing access is at Site A behind an IPsec tunnel.  IPsec tunnels that are in pre-v18 are policy based IPsec tunnels.  The XG binds to the ipsec0 interface which has an IP address in the 169.254.x.x range....which is non-routable.  This is the reason why you need a NAT for the system routed/generated traffic.

    Thanks!

Children