Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 1979 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Full tunnel not working on specific user

Elizabeth Owen

I have a specific user that when he connects to our SSL VPN his traffic does not go through our firewall.

When I do a "whats my ip" lookup it is his home IP address

He cannot ping internal resources.

Its so weird, because he authenticates and gets an IP address from the SSL VPN Pool. I have a bunch of other users who are able to connect and reach internal resources fine.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Elizabeth,

    Thank you for contacting the Sophos Community.

    For now any user can create the Tags they want, so you will find some of them contains spelling errors, once we change this TAGs to predetermined one this should stop happening.

    Is this user part of the same as the rest of the other users?

    What about their local network subnet, is it maybe overlapping with the IP range you are giving out to this users?

    You can ask the user to run: route print from the CMD (assuming this is a Windows Computer) and see if you see the route for the SSL VPN in there.

    Regards,

  • 0 in reply to emmosophos

    Hi, Thanks for your reply. there is no overlapping subnet for some reason. The user is able to connect but the traffic is not going out through our firewall. They can reach certain subnets but not our server subnet (i.e. DNS etc). Its such a weird issue.

  • 0 in reply to Elizabeth Owen

    Hello Elizabeth, 

    Thank you for the follow-up.

    Try changing manually the DNS metric on the client TAP adapter to be 1, see if that fixes it.

    Additionally, you can do tcpdump on the XG and see if you see anything coming into the XG, (you might have done this already)

    #tcpdump -eni tun0 host x.x.x.x and port 53

    Regards,

  • 0 in reply to emmosophos

    So I do see traffic going to these servers, however, no internal traffic is flowing.

    The DNS metric is already set to 1.

    It doesn't even look like he's going through our firewall (VPN is set to full tunnel). When I search "whats my ip" I get an address that is not ours (and even weirder I get an ipv6 address)

  • +1 in reply to Elizabeth Owen

    Hello Elizabeth,

    Thank you for the follow-up.

    Maybe their local router is providing IPv6 that is taking precedence, try disabling IPv6 from their Local Network Adapter as well as from the sophos TAP Adapter.

    Regards,

  • 0 in reply to emmosophos

    You're a star, that worked like a charm! I hadn't disabled it on the wi-fi adapter, just the sophos TAP adapter. Amazing and thank you!

  • 0 in reply to Elizabeth Owen

    Hello Elizabeth,

    Thanks for taking the time to update the Community and the kind words! 

    I'm glad to know your issue has been resolved.

    Regards,

Reply Children
No Data