[Sophos Connect] DNS Problem, only reboot helps

Im not aware of DNS problems with Connect Client but can imagine, they exist.

Can you please describe:

which device is DNS server when connected with CC?

which device is rebooted - computer with CC or Firewall?

.

On the endpoint computers:

what typ of NIC and WiFi hardware is used?

do you have computers not having the problems?

what's the output of ipconfig -all when connected with CC and the problem occours?

what's the output of route print when connected with CC and the problem occours?

is the configured DNS server pingable when connected with CC and the problem occours?

Hi LHerzog
> which device is DNS server when connected with CC?
The settings of IPSec (remote access) DNS 1 / 2 server, both domain controllers.

>which device is rebooted - computer with CC or Firewall?
NB with CC

>is the configured DNS server pingable when connected with CC and the problem occours?
Generally, the DNS resolution then no longer works, of course also no ping. Only nslookup directly, here all DNS entries are resolved correctly.


The rest will follow as soon as i have more information.

By the way, we have this "phenomenon" not only on one device, some others are also affected, but not all.
We had reported a ticket with this bug almost 2 years ago.
It was not fixed in v17 (did not want it) and should "actually" be fixed in v18 + CC 2.1........

>is the configured DNS server pingable when connected with CC and the problem occours?
Generally, the DNS resolution then no longer works, of course also no ping. Only nslookup directly, here all DNS entries are resolved correctly.

does this also apply for internal private domain names or public internet FQDN?

what is your VPN config? Split or tunnel all?

maybe this is more an issue with Windows endpoints than Connect client? Have you already tried reordering interface metrics like mentioned on those two websites?

http://woshub.com/dns-resolution-via-vpn-not-working-windows/

https://superuser.com/questions/966832/windows-10-dns-resolution-via-vpn-connection-not-working

>does this also apply for internal private domain names or public internet FQDN?
only internal.

>what is your VPN config? Split or tunnel all?
Split

>metrics like mentioned on those two websites
Should not this also affect nslookup ?
Why does nslookup still work, so DNS through the tunnel, and everything else in terms of DNS then no longer ?

nslookup goes straight to the configured DNS server on the shortest IP route while ping and your browsers may use alternative ways to resolve names. Maybe you have the same DNS Active Directory name on WAN and internally so Windows could use the fastest responding name server, which may be the public DNS server.

This can possibly be explained in this way.
But why does it work for a while without any problem and then suddenly not anymore (except restart) and why are not all devices affected?

only assuming: they have LAN and WiFi enabled when connected to IPSec with CC.

WiFi Connection drops and reconnects and some sort of reordering of the network inferfaces occours.

Also modern intel LAN/WiFi cards cause LAN (!) resets if WiFi decides to rescan for wireless networks, without beeing connected to WiFi at all.

We've had issues when using intel WiFi driver versions below v22. Not with CC IPSec but with CC and SSL VPN, and also in LAN causing heartbeat to reset each time. Sometimes 10 times an hour.

This is one of the problematic WiFi / Lan combinations. With this driver it's OK.

check system eventlog for netwtw06 or netwtw08 or netwtw10

Eventid: 6062

6062 - Lso was triggered

LHerzog
Thanks for your good help so far.
We have already installed this driver version.
But what we also see is that the classic SSL client (traffic light) works without problem, this is a CC problem in DNS.

Yes, the old client was robust  - but very outdated in terms of OpenVPN.

The applies to Win10 1809.

I would just check these like mentioned:

internal and external DNS names: same domain?

check interface metric

check if your DNS suffix is still on client present when issue happens

Metric Example of a later Win10 version:

netsh int ip show interface

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
 11          35        1500  connected     WLAN
  2           5        1500  disconnected  Ethernet (Notebook LAN)
 16          65        1500  disconnected  Bluetooth-Netzwerkverbindung
 23          25        1500  disconnected  LAN-Verbindung* 2
 17          35        1400  disconnected  Ethernet 2 (Connect Client VPN)
 12          25        1500  connected     Ethernet 5 (Docking Station LAN)


netsh int ip show interface

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
 11          35        1500  connected     WLAN
  2           5        1500  disconnected  Ethernet (Notebook LAN)
 16          65        1500  disconnected  Bluetooth-Netzwerkverbindung
 23          25        1500  disconnected  LAN-Verbindung* 2
 17          35        1400  connected     Ethernet 2 (Connect Client VPN)
 12          25        1500  connected     Ethernet 5 (Docking Station LAN)

I have not noticed problems. But as said, it's SSL VPN.

If you see that on a current Win10 version, you should create a support case, maybe Sophos can control that or there is an issue with Stronswan component.