System Configuration: 2x XG125s in an HA Pair running SFOS 17.5.15 MR-15. We have two ISP connections feeding separate unmanaged switches which feed Two WAN ports on both units. (ISP->UNMANAGED SWITCH->WAN Port). This enables failover for ISP Failure and separate failover for device failure. VPN Configuration: SSL VPN (Remote Computer to Main Office) Symptoms: All but one user is able to able to access the VPN connection and receive a DHCP Address and appropriate routes to access the programmed VLANs. The user having the issue is seeing the following issues intermittently. - When she logs in, her machine not receive an IPv4 address from VPN Server and thus does not set routes properly. - When she logs in, her machine does receive an IPv4 address from VPN Server but still may not set routes properly. Without appropriate routes, device was unable to resolve network drives over DNS. Other clients have reported no issues. Previous Troubleshooting & Observations: I have observed that the Sophos VPN Client was attempting to connect to the secondary WAN IP instead of the primary. Reinstalled VPN Client Multiple Times. Uninstall - Reinstall. Simple reinstall without Uninstall, Completely uninstall, delete all trace, and then reinstall, etc. Symptoms often clear for approximately 24 hours and then reoccur. Determined that even if the Sophos VPN Adapter did not received IPv4 address on connection it might still be received at some point shortly thereafter. Observed that in some cases the Sophos VPN Adapter was receiving a IPv6 address while failing to receive an IPv4 address in a timely manner. We do not have IPv6 configured for anything in our system. Logs suggest that the TUN/TAP interface is having difficulty coming correctly at times. Timeline: 12/21 Reinstalled the client Edited the Sophos VPN Config File for the client to use the primary IP the first to be tried. NEW Disabled IPv6 on the client’s Sophos VPN Adapter to force IPv4 DHCP and DNS resolution NEW Wrote a script entitled VPNFIX.bat to manually add routes for VLAN 69, 100, 200. Script saved to the user’s desktop. This script was tested when the client had a valid IP address but the network drives would not resolve. Running the script enabled the drives to be successfully resolved via DNS. Disconnected VPN and verified that the manually added routes were removed by the VPN disconnect process. Restarted the computer and retested the VPN connection. IP Address and Routes came up correctly allowing the network drives to be accessed (without requiring the use of the VPNFIX script) 12/22 The user stated that they were able to connect to the VPN successfully but had to use my script to manually add the routes in order to see the network drives. Question: How do I ensure that the user receives a DHCP addresses from the Sophos VPN DHCP server successfully? How do I ensure that the necessary routes are added consistently via the client?

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG v17.5 - SSL VPN Single Client Network Route Trouble

Daniel Berman - Meier Architecture • Engineering over 3 years ago

System Configuration: 2x XG125s in an HA Pair running SFOS 17.5.15 MR-15. We have two ISP connections feeding separate unmanaged switches which feed Two WAN ports on both units. (ISP->UNMANAGED SWITCH->WAN Port). This enables failover for ISP Failure and separate failover for device failure.

VPN Configuration: SSL VPN (Remote Computer to Main Office)

Symptoms: All but one user is able to able to access the VPN connection and receive a DHCP Address and appropriate routes to access the programmed VLANs. The user having the issue is seeing the following issues intermittently.

- When she logs in, her machine not receive an IPv4 address from VPN Server and thus does not set routes properly.

- When she logs in, her machine does receive an IPv4 address from VPN Server but still may not set routes properly.

Without appropriate routes, device was unable to resolve network drives over DNS. Other clients have reported no issues.

Previous Troubleshooting & Observations:

I have observed that the Sophos VPN Client was attempting to connect to the secondary WAN IP instead of the primary.
Reinstalled VPN Client Multiple Times. Uninstall - Reinstall. Simple reinstall without Uninstall, Completely uninstall, delete all trace, and then reinstall, etc. Symptoms often clear for approximately 24 hours and then reoccur.
Determined that even if the Sophos VPN Adapter did not received IPv4 address on connection it might still be received at some point shortly thereafter.
Observed that in some cases the Sophos VPN Adapter was receiving a IPv6 address while failing to receive an IPv4 address in a timely manner. We do not have IPv6 configured for anything in our system.
Logs suggest that the TUN/TAP interface is having difficulty coming correctly at times.

Timeline:

12/21

Reinstalled the client
Edited the Sophos VPN Config File for the client to use the primary IP the first to be tried.
NEW Disabled IPv6 on the client’s Sophos VPN Adapter to force IPv4 DHCP and DNS resolution
NEW Wrote a script entitled VPNFIX.bat to manually add routes for VLAN 69, 100, 200. Script saved to the user’s desktop. This script was tested when the client had a valid IP address but the network drives would not resolve. Running the script enabled the drives to be successfully resolved via DNS.
Disconnected VPN and verified that the manually added routes were removed by the VPN disconnect process.
Restarted the computer and retested the VPN connection. IP Address and Routes came up correctly allowing the network drives to be accessed (without requiring the use of the VPNFIX script)

12/22

The user stated that they were able to connect to the VPN successfully but had to use my script to manually add the routes in order to see the network drives.

Question:

How do I ensure that the user receives a DHCP addresses from the Sophos VPN DHCP server successfully?
How do I ensure that the necessary routes are added consistently via the client?

This thread was automatically locked due to age.