Strange behavior when using sophos connect vpn.

Hi StefanS 

It sounds like you will need a system NAT'ted IP on Site B XG.

Please follow below KB article:

https://community.sophos.com/kb/en-us/122999

Let us know how it goes.  

Thanks!

Hi KingChris 

Thanks for the tip, but i honestly cannot imagine that this should be a NAT problem.
However, this does not explain why "generally" the Remote SSL VPN has no problems and why only about 10% of users are affected by "Sophos Connect Client".
We hadn't seen any problems with the Remote VPN SSL before rolling out "Sophos Connect Client".
Both VPN clients use the same FW rule, but with different VPN client networks.
A Sophos engineer is currently trying to understand what problems this behavior is causing.

Regards
StefanS

Hi StefanS 

Could you share your Support Case number with us to follow up with?

Thanks!

Hi StefanS 

The reason why it works fine at Site A is because the resources needing access to are local to that XG where the Sophos Connect terminates.  The reason why it does NOT work at Site B is because the resource needing access is at Site A behind an IPsec tunnel.  IPsec tunnels that are in pre-v18 are policy based IPsec tunnels.  The XG binds to the ipsec0 interface which has an IP address in the 169.254.x.x range....which is non-routable.  This is the reason why you need a NAT for the system routed/generated traffic.

Thanks!

Hi StefanS 

The reason why it works fine at Site A is because the resources needing access to are local to that XG where the Sophos Connect terminates.  The reason why it does NOT work at Site B is because the resource needing access is at Site A behind an IPsec tunnel.  IPsec tunnels that are in pre-v18 are policy based IPsec tunnels.  The XG binds to the ipsec0 interface which has an IP address in the 169.254.x.x range....which is non-routable.  This is the reason why you need a NAT for the system routed/generated traffic.

Thanks!

Hi KingChris 
Even if it were a NAT problem, how do you explain that only ca. 10% of location B is affected and not all "Sophos Connect Clients" on this location ?

Regards
StefanS

Hi StefanS 

Thank you for providing the service request number. Please accept our sincerest apologies for the delay.

I have informed the team to contact you at earliest and provide further assistance on the reported case.

Keyur and FloSupport 

We got the info from the L2, that a bug report for the ticket was created.
The fix is said to be in 18.0 MR2, but no statements about v17.x. !
We also want to have this fix for v17.x because we don't currently want to upgrade to v18.
Can you please verify whether this statement is correct, or whether there will also be a fix for v17 and if so, when.

Regards
StefanS

Hi StefanS 

The shared tracking ID in the service request number (NC-58295), the fix will be available in SFOS v18 MR2, I have added your comments in the case ID and ask them to contact you further.

Keyur and FloSupport 

i ask for clarification again.
According to a support engineer (the reason is not given), Sophos does not want to offer a FIX for v17, only v18 should get this FIX.
From the customer's point of view, this is a show stopper to extend the subscription.
We paid for the v17, the bug was proven in v17 and there should also be a bugfix for the v17, especially since v17 has not yet reached an EOL.

regards

StefanS

Why do you want to stay on V17 for the long run? 

As Sophos is moving towards the new version, likely many people will adapt to the new version. 

Staying on a old version with less features seems to be unlikely? 

Just wondering. 

LuCar Toni 

You don't have to be surprised.
We don't say that we never want to migrate to v18.
A simple question, are you going to say that v18 is stable in its current status and without bugs?
Our experience with software teaches us and "especially with sophos XG" to migrate only from v17 to v18 mr3 - 4.

regards
StefanS

And do you have already a fix version for your Bug? 

Of course its likely to wait for some releases to update your productive environment. Your Initial comment sounded like you are going to stay on V17.5. 

No we do not have, as described, there will be no bugfix for v17 ....

I do have same problem.

First only with Android and iOS clients.

With SFOS 18.0.0 GA-Build379 also with Windows client.

Hopefully it will be fixed with a hotfix and we don't need to wait for MR2!

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/120351/ipsec-android-with-connect-client-settings-problems-rdp-if-ssl-tls-inspection-dpi-engine-enabled/440629#440629