Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1466 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Heartbeat and IPSec VPN

Martinen

Hi everybody,

this is my first post here :-). I have a problem that has been bugging me since last november. I set up a XG 125 with v18 for a new client and configured IPSec VPN using the Sophos Connect Client - split tunnel mode. So far so good. Intercept X is running on all the remote access devices (=laptops).

One important selling point was that Sophos offers the option of restricting access to devices with a heartbeart. So we checked that box in the VPN FW rule and during the initial tests there has been no problem.

We than rolled out the VPN Configuration and after some days I got reports of failing VPN connections. Pretty soon it became clear that this is due to a missing heartbeat.

So we unchecked the "heartbeat only" box and VPN has been working ever since.

However, my client insisted on turning the heartbeat only feature on - which I completely get since this is the reason he chose Sophos over other solutions.

I did research of my own, read through the forum here and contacted Sophos Support several times but haven't managed to solve the problem. Sophos and I agree, though, that it is a heartbeat problem...;-).

What's driving me nuts is that I cannot see any pattern, it's an on/off thing. It seems that sometimes the heartbeat info reaches the XG, sometimes not. It happens on Windows 10 machines and also on my own MacBook (mac OS 10.15).

The only thing that stays constant is that one user cannot connect at all when using her cable modem at home. And what seems odd to me is on the XG > current activities > IPSec Connections I can see user entrys with the local subnet and the Heartbeat WAN IP (as it should be imho), but I also see sometimes double entrys for the local subnet and/or no Heartbeat WAN IP.

One more thought I had: Could ISP devices (cable modems etc.) be responsible? Meanwhile I'm thinking of switching to SSL VPN to work around this...

So, I hope you can shed some light on this, any help is very much appreciated.

Kind regards,
Martin



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to emmosophos

    Hi Emmanuel,

    the case ID is 03276449. Case has been closed on Jan 28 by Sophos Support, though.

    Regards,

    Martin

  • 0 in reply to Martinen

    Hello Martin,

    Thank you for the Case ID, for the only troubleshooting on the ticket it is my understanding that this was only happening on the MAC Computers, but now it is happening on the Windows Computer as well.

    I would recommend you to open another case as this would need further investigation, after you have the Case ID please share it with me, you can reference the old case.

    When the issue happens could you please run a tcpdump with the IP of the computer and the port 8347, if  you detect there is a computer that fails the most, you can run a rotating TCPdump, so when the issue happens we can see if the endpoint is sending the heartbeat, it might be that at some point the traffic doesn't route properly.

    The command would be

    # tcpdump -eni ipsec0 host x.x.x.x and port 8347

    For a rotating dump 

    # nohup tcpdump -eni ipsec0  host x.x.x.x and port 8347 -s0 -C 10 -W 10 -w /var/endpointheartbeat.pcap -b &

    Press enter after entering the command, to stop you would need to type

    # fg 

    # ctrl + c

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    thanks for your reply and sorry for the long wait, it has been a busy week! I just opened a new case: 03659751. Not sure if I understand you correctly, so I'll try to summarize your suggestions in my own words:

    Step1: On XG GUI: monitor > current activities > IPSec Connections. Wait till a client is connected but has no entry for the Heartbeat WAN IP 52.5.76.173/32 in the Local subnet column
    Step2: SSH to XG CLI and run the tcpdump commands you suggested (entry 4: device console, never had to use it before).
    Step3: Interpret output and/or post it here ;-)

    edit: tried the above steps, getting a syntax error on step2:

    console> tcpdump -eni ipsec0 host 10.10.44.3 and port 8347
    % Error: Unknown Parameter 'ipsec0'

    edit: right now a have 4 users online showing in monitor > current activities > IPSec Connections: 3 of them show the HB WAN IP one doesn't.

    Please advise!

    Regards,
    Martin

  • 0 in reply to Martinen

    You need to use those commands on the advanced Shell (5-3). 

    Does this issue occur randomly? 

  • 0 in reply to Martinen

    Hi,

    please check if this applies to you:

    https://community.sophos.com/xg-firewall/f/discussions/122398/connect-client-ipsec-vpn-and-heartbeat-issues/445237#445237

    We've hat Heartbeat Issues during tests with Sophos Connect client only for cable modem users in Germany due to DS-Lite used by  those ISP connections.

  • 0 in reply to LuCar Toni

    thanks for pointing that out! There is an advanced shell, great :-).

    Yes, it is completely random.

  • 0 in reply to LHerzog

    Oh, okay, so that could be the explanation...many cable modems here in the Vienna area. What was your solution? Switching to SSL VPN instead?

    All the VPN connections I configured so far were IPsec and Sophos Germany recommended it over SSL VPN about a year ago in a webinar - can't remember the exact reason - so I stuck with it. But as far as my understanding of VPN goes, this problem shouldn't occor when using SSL VPN, so it looks like this is the direction I'll take.

    I take it you hadn't any HB problems with SSL VPN, right?

  • 0 in reply to Martinen

    yes, we're using SSL VPN and HB is working there.

    I lost focus on testing with IPSec VPN.

    Lately we noticed performance problems with DS-Lite cable users.

    So if you are implementing SSL VPN, I suggest to switch over to UDP in the settings, not TCP. Switching this later, requires to re-rollout config to everyone.

    And of course, you can implement IPSec als primary VPN and give Cable users access via SSL VPN - if this solves your issues with HB.

  • 0 in reply to Martinen

    Hello Martin,

    Thank you for the follow-up.

    Sorry, yes the commands need to be run from the Advanced Shell as Luca mentioned.

    https://support.sophos.com/support/s/article/KB-000038697?language=en_US then press 5 >3 when you’re in the Main Menu.

    I have left a note in the case, about the pcap, and I saw they tried calling you but there was no answer, I would recommend you to reply with 2 days and two different timeslots, for your next availability, so the engineer can arrange the callback. A

    Regards,