Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 1651 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with SSL VPN route

J.Janssens

I'm rather new to XG outside of a lab environment and run into a problem with the single production device.

VPN users should have access to 192.168.31.192/26. I added this to VPN/SSL VPN/Tunnel access/Permitted network resources. When I connect the VPN, in the logging,  I see a route added for 192.168.31.0/26:

Fri Jun 18 21:48:53 2021 C:\WINDOWS\system32\route.exe ADD 212.xxx.xx.x MASK 255.255.255.192 10.192.31.1

Fri Jun 18 21:48:53 2021 Route addition via service succeeded

Fri Jun 18 21:48:53 2021 C:\WINDOWS\system32\route.exe ADD 192.168.31.0 MASK 255.255.255.192 10.192.31.1

Fri Jun 18 21:48:53 2021 Route addition via service succeeded

Fri Jun 18 21:48:53 2021 C:\WINDOWS\system32\route.exe ADD 212.xxx.xx.x MASK 255.255.255.192 10.192.31.1

Fri Jun 18 21:48:53 2021 ROUTE: Route addition failed using service: The object already exists. [status=5010 if_index=9]

On a side note, I also see the external address being added twice for some reason, which generates an error. While it doesn't harm to try and add the same route twice, I do wonder where that comes from. 

I feel that I am missing something very stupid here. On my SGs I never have been in the situation that I needed something different than a /24, so I can't compare anywhere. 

Thank you for your opinions.



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    That is expected behavior, it shouldn't affect the traffic flow. You can confirm by doing a ROUTE PRINT from the cmd on the Windows computer, you should see the networks you add it on the SSL VPN.

    Regards,

  • 0 in reply to emmosophos

    I don't understand your answer. The target machines are 192.168.31.194 and 192.168.31.195. The defined network is 192.168.31.192/26 yet the VPN adds 192.168.31.0/26. ROUTE PRINT obviously shows exactly the same   

     192.168.31.0  255.255.255.192      10.192.31.1      10.192.31.2    281  

    How is that expected behaviour?  How could this possibly work?  

  • 0 in reply to J.Janssens

    Hello J.

    Sorry I don't understand, you mentioned why do you see the same route being added twice for 212 going to 192.31, which is expected to see.

    Fri Jun 18 21:48:53 2021 C:\WINDOWS\system32\route.exe ADD 212.xxx.xx.x MASK 255.255.255.192 10.192.31.1

    Fri Jun 18 21:48:53 2021 Route addition via service succeeded

    Fri Jun 18 21:48:53 2021 C:\WINDOWS\system32\route.exe ADD 192.168.31.0 MASK 255.255.255.192 10.192.31.1

    Fri Jun 18 21:48:53 2021 Route addition via service succeeded

    Fri Jun 18 21:48:53 2021 C:\WINDOWS\system32\route.exe ADD 212.xxx.xx.x MASK 255.255.255.192 10.192.31.1

    You’ll always see your Firewalls Public IP where the SSL VPN connects to first, and then you’ll get the error that the route already exists, in your case however it’s being sent as a subnet which is uncommon.

    As per the issue you’re seeing, it seems you’re overlapping your subnets, it seems the subnet you’re giving the SSL VPN on the XG is part of a subnet on your XG, which is what might be causing the confusion.

    Regards,

Reply
  • 0 in reply to J.Janssens

    Hello J.

    Sorry I don't understand, you mentioned why do you see the same route being added twice for 212 going to 192.31, which is expected to see.

    Fri Jun 18 21:48:53 2021 C:\WINDOWS\system32\route.exe ADD 212.xxx.xx.x MASK 255.255.255.192 10.192.31.1

    Fri Jun 18 21:48:53 2021 Route addition via service succeeded

    Fri Jun 18 21:48:53 2021 C:\WINDOWS\system32\route.exe ADD 192.168.31.0 MASK 255.255.255.192 10.192.31.1

    Fri Jun 18 21:48:53 2021 Route addition via service succeeded

    Fri Jun 18 21:48:53 2021 C:\WINDOWS\system32\route.exe ADD 212.xxx.xx.x MASK 255.255.255.192 10.192.31.1

    You’ll always see your Firewalls Public IP where the SSL VPN connects to first, and then you’ll get the error that the route already exists, in your case however it’s being sent as a subnet which is uncommon.

    As per the issue you’re seeing, it seems you’re overlapping your subnets, it seems the subnet you’re giving the SSL VPN on the XG is part of a subnet on your XG, which is what might be causing the confusion.

    Regards,

Children
No Data