Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 1033 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLVPN Connect VPN multiple profiles not switching correctly

Dan Williams

Hi

I have a virtual XG with v18 up to date OS that has two SSLVPN profiles configured. One that is split tunnelling, the other that has the "default gateway" enabled.

I setup the 2.1 Connect client to connect to either profile and they both work as expected, one tunnelling just the desired subnet and the other providing the gateway (so effectively tunnel all).

However once a user is aligned with a profile through their authentication group we are unable to switch to the other profile. The user is moved to a different user group that is set to the "other" SSLVPN profile. We delete the config from the VPN client. Re-add the config on the VPN client (via a provisioning file). When you then re-connect you retain the original SSLVPN connection settings, i.e. you are either still split tunnel or still tunnel all, even though your user account has been migrated to the other firewall profile and the client profile re-installed using a provisioning file that clearly specifies the other SSLVPN name. We have even re-installed the Sophos Client with no luck.

From testing it appears that its user account related as connecting in via a different user account will perform as expected and utilise the correct VPN profile for that user (at least for the first connection). We have also purged the users from the firewall, and confirmed they are picking up the correct VPN profile on re-connection.

So, is there a way on a windows client machine to purge the VPN client profile completely?  as it seems to be the client that is holding on to the original connection profile settings. The connection is deleted in the client but I am wondering if there is some other OpenVPN legacy setting thats not updating on the client?

We have a couple of end users that want to be able to switch easily between profiles but this seems to be not so easy! They have come from Cisco AnyConnect which allows you to simply specify the profile in the connection string, and so this is a bit frustrating.

Any help much appreciated.

Dan



This thread was automatically locked due to age.
Parents
  • 0

    Hello Dan,

    Thank you for contacting the Sophos Community.

    If the routes aren’t being updated I think you might be affected by NC-72474

    Try the work around mentioned on https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.5 (You might need to click "Known Issues".

    Regards,

  • 0 in reply to emmosophos

    Hi

    Thanks for the feedback

    Albeit that sounds very similar, the actual SSLVPN profiles on the XG are working fine. If you log in to them independently from different users on different client machines they work as expected (one tunnel-all and one split-tunnel). Its just if you try and flip a user from one profile to the other, the client doesnt seem to recognise the profile has change.

    So if I was tunnel-all, deleted the profile in the sophos client, re-installed the VPN setup, moved the user on the XG to the split-tunnel profile, re-connect in and I am still tunnel-all.

    The article link you sent through seems to imply that changing the SSVPN profile on the firewall by adding a new permitted network is not working. Both my profiles are working, just not when flipping a user between them.

    THanks

    Dan

Reply
  • 0 in reply to emmosophos

    Hi

    Thanks for the feedback

    Albeit that sounds very similar, the actual SSLVPN profiles on the XG are working fine. If you log in to them independently from different users on different client machines they work as expected (one tunnel-all and one split-tunnel). Its just if you try and flip a user from one profile to the other, the client doesnt seem to recognise the profile has change.

    So if I was tunnel-all, deleted the profile in the sophos client, re-installed the VPN setup, moved the user on the XG to the split-tunnel profile, re-connect in and I am still tunnel-all.

    The article link you sent through seems to imply that changing the SSVPN profile on the firewall by adding a new permitted network is not working. Both my profiles are working, just not when flipping a user between them.

    THanks

    Dan

Children
No Data