Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 26 subscribers
  • Views 1484 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connect client issues

davepetrangelo

We are using Connect for our end user connection to HQ. 

It seems like once a week (sometimes more) a number of clients lose their Connect connections. 

I look on the FW and see they are actually connected to the FW, but they have two connections. One is the external home IP address and the other is their internal home network IP address. 

Ex:  I see Dave listed as talking to the FW

first connection is 192.168.1.10  (his internal home IP address) 

2nd connection is 50.XXX.XXX.XXX  (external home IP address)

When in reality a "good" connection reads as the FW issued IP of 192.168.100.X the The XG issues to people 

Obviously those remote people cant connect to anything at HQ. 

The "fix" is to restart the XG box or get into the console and restart the VPN service. This is NOT a good long term solution

This happened on v17 and v18 

Any ideas? 



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Is it possible for you to collect access_server, CSC, and strongswan logs in debug, for further investigation? Is this issue reported by all the users? What is the current version of the Connect Client? 

    Steps to put the strongswan/access_server service in debug:

    • SSH into the XG firewall by following this KBA: Sophos XG Firewall: How to SSH to the firewall using PuTTY utility
      • To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
      • Select option 5 Device Management.
      • Select option 3 Advanced Shell.
    • To put the strongswan service in debug, type the following command: service strongswan:debug -ds nosync
      • Output
        • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service strongswan:debug -ds nosync
          200 OK
    • Run the following command to check the status of the service: service -S | grep strongswan
      • Output
        • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service -S | grep strongswan
          strongswan RUNNING,DEBUG
    • To put the CSC in debug, type the following command: csc custom debug
    • Note: Run the same command to remove the service from the debug.

    Thanks,

  • 0 in reply to FormerMember

    We are having it right now so I just turned on debugging. 

    Silly question - where are those logs? Are they in the normal log area (firewall, auth etc) or somewhere else? 

    There about 50 people on the system- about 10 of them have this issue right now, the rest are OK

  • 0 in reply to davepetrangelo

    Hello Dave,

    The logs are under the directory /log/ 

    You would need to SSH in the XG and from the advanced shell (5>3) type # cd /log/

    And after if you to a # ls

    You will see the logs there.

    Regards,

Reply Children
  • 0 in reply to emmosophos

    I did see these types of entries which are what is happening- just not for everyone which is the odd part.

    On the Connect tab I have over 200 ips available in the IP pool which is 2x as many employees accessing the system so its not running out. 

    And a restart of the VPN service "fixes" it for a few days

    failed to send message to garner, gr_io() has problems

    garner: failed to read greetings from garner: after retrying 3 times
    garner: failed to read greetings from garner: Resource temporarily unavailable

    [IPPOOL] (acquire_address) acquire_address...
    2020-11-04 08:34:32 08[APP] <SophosConnect-1|1305> [IPPOOL] (acquire_address) lease from Access Server for user: xxxxx@xxxx.org pool: access_server_CISCOVPN (32)
    2020-11-04 08:34:32 08[APP] <SophosConnect-1|1305> [IPPOOL][TLV] (tlv_ippool_request) Send request(32) - user: xxxxx@xxxx.org ip: 1.2.3.4 port: 50621 conn_name: SophosConnect-1
    2020-11-04 08:34:32 08[APP] <SophosConnect-1|1305> [IPPOOL][TLV] (tlv_ippool_request) Message from Access server (rcode: 2 resp_code: 101): [BIN DATA]
    2020-11-04 08:34:32 08[APP] <SophosConnect-1|1305> [IPPOOL][TLV] (tlv_ippool_request) response: IPPOOL_FAILED --> FAILED
    2020-11-04 08:34:32 08[APP] <SophosConnect-1|1305> [IPPOOL] (acquire_address) Error: lease from Access Server FAILED
    2020-11-04 08:34:32 08[APP] <SophosConnect-1|1305> [IPPOOL] (acquire_address) Access Server not provided IP for user: xxxxx@xxxx.org
    2020-11-04 08:34:32 08[IKE] <SophosConnect-1|1305> no virtual IP found for %any requested by 'xxxxx@xxxx.org'

    [SSO] (sso_invoke_once) User 'xxxxx@xxxx.org' SSO login
    2020-11-04 08:34:36 04[APP] <SophosConnect-1|1305> [SSO] (sso_invoke_once) no IP configured, using external client IP (1.2.3.4) for SSO