Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 26 subscribers
  • Views 3738 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connect Client IPSec VPN and Heartbeat issues

LHerzog

Hello,

can someone `please confirm if he or she has successfully set up Sophos Connect Client VPN with heartbeat rules working?

The tunnel is working, heartbeat is enabled, Sophos Central Client on the endpoint is creating heartbeat and sending it into the tunnel, the heartbeat packets are visible in packet capture on XG but all firewall rules with "block clients without heartbeat" run into "success" so are running into a block.

 

Packet Capture on XG shows Packet to heartbeat WAN IP:



This thread was automatically locked due to age.
Parents
  • 0

    Hello LHerzog,

    Thank you for contacting the Sophos Community.

    Is this the only user with the issue? What type of computer the user has Windows/MAC? 

    Does the computer of the user shows in Sophos Central?

    This sounds like a first installation of the Heartbeat in the user's computer, or was it working before?

    Regards,

  • 0 in reply to emmosophos

    Hi emmosophos,

     

    thanks for your reply.

    It is the first computer I'm testing the new Connect Client with. This computer uses SSL VPN too and Heartbeat works here. Also it works when connected to LAN.

    It is Windows. The Computer is shown in Sophos Central, and as mentioned, it worked before and works in other networks for this computer.

     

    Regards

     

    Btw:
    heartbeatd.log
    SSL VPN Connect Heartbeat Log. You can see that GUID 101e274f50c8 becomes active when connected. (3->1)
    2020-08-18 10:50:02 WARN Path.cpp[12988]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2020-08-18 10:50:02 INFO HBSessionHandler.cpp[12988]:113 removeDirtySessions - Number of sessions: 116
    2020-08-18 10:50:02 INFO HBSessionHandler.cpp[12988]:140 findPinnedEndpointIdentity - Number of sessions: 117
    2020-08-18 10:50:02 INFO HBSession.cpp[12988]:488 logNewSession - New Session: [10.242.xx.xx]:2799 connected
    2020-08-18 10:50:02 INFO EndpointStorage.cpp[12988]:120 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxx-xxxx-xxxx-xxxx-101e274f50c8>: <3> -> <1>
    2020-08-18 10:50:02 INFO ModuleEac.cpp[12988]:100 sendEacMessage - send EacSwitchRequest to endpoint (IP=10.242.xx.xx)
    2020-08-18 10:50:16 WARN Path.cpp[12988]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2020-08-18 10:50:16 WARN Path.cpp[12988]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2020-08-18 10:50:17 INFO ModuleStatus.cpp[12988]:176 processMessageStatus - Status request received from endpoint: xxxxxxxx-xxxx-xxxx-xxxx-101e274f50c8 (10.242.xx.xx) health: 1
    2020-08-18 10:50:20 WARN Path.cpp[12988]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System



    Sophos Connect IPSec VPN Connect Heartbeat Log. You can see that GUID 101e274f50c8 becomes only inactive from previous state active when connected. (1->3)
    2020-08-18 10:52:31 WARN Path.cpp[12988]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2020-08-18 10:52:32 INFO EndpointStorage.cpp[12988]:120 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxx-xxxx-xxxx-xxxx-101e274f50c8>: <1> -> <3>
    2020-08-18 10:52:32 WARN Path.cpp[12988]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2020-08-18 10:52:36 WARN Path.cpp[12988]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2020-08-18 10:52:38 INFO HBSessionHandler.cpp[12988]:113 removeDirtySessions - Number of sessions: 116
    2020-08-18 10:52:39 WARN Path.cpp[12988]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System

  • 0 in reply to LHerzog

    Hello LHerzog,

    Thank you for the follow-up.

    Can you provide me a screenshot of the .tgb configuration and the Firewall rule for VPN to LAN for the Sophos Connect (might be the same used for the SSL VPN unless you are filtering by Network)

    Regards,

  • 0 in reply to emmosophos

    Thanks, I sent you the files via PM.

  • 0 in reply to LHerzog

    In the meantime I tested the scenario with several colleagues and it works for all except one user: me.

    I'm the only user who has a private internet connection with DS-Lite mode enabled by the ISP Unitymedia / Vodafone Cable.

    (DS-Lite - encapsulating IPv4 in IPv6 by the internet service provider)

    I can connect by using the same configuration and same end device via Sophos Connect Client if I connect from multiple other internet connections.

    I can also successfully connect via the classic SSL VPN Client from behind the DS-Lite line and Heartbeat is working there smoothly.

     

    How can VPN over a DS-Lite ISP line in an outgoing direction be a problem with IPsec, and - as it seems so far - only for Heartbeat?

  • 0 in reply to LHerzog

    Hello LHerzog,

    Thank you for the update.

    Let me ask on my end and see if anybody might have any idea of why it would fail by using a DS_Lite ISP. Can you confirm if the modem is not blocking port 8347, oh but it works on SSL VPN, so it should be open. 

    Regards,

  • 0 in reply to emmosophos

    Hi,

    yes, I can confirm, HB port is not blocked. But it should be routed into the tunnel anyway.

    Thank you for starting investigation!

     

    Regards

  • 0 in reply to LHerzog

    Hello LHerzog,

    I asked they think the modem might be trying to respond back as it has IPsec setting on it. 

    I think the only way to know if this is true would be by doing a Wireshark on the computer when you are using Sophos Connect Client, and at the same time in the XG for port 8347.

    Regards,

     

Reply
  • 0 in reply to LHerzog

    Hello LHerzog,

    I asked they think the modem might be trying to respond back as it has IPsec setting on it. 

    I think the only way to know if this is true would be by doing a Wireshark on the computer when you are using Sophos Connect Client, and at the same time in the XG for port 8347.

    Regards,

     

Children
No Data