Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 1139 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Resolution slow using Connect 2.0 and IPSec VPN connection

AllanD

We have a ongoing issue with Sophos Connect 2.0 and IPSec VPN connections where DNS resolution is extremely slow at first and sometimes never resolves itself.  For example a user connects to the VPN and then tries to open a network drive then gets a error as it can't find the server.  Or a app that relies on our SQL server doesn't work because it cant resolve the server address.

Sometimes the issue resolves itself after a few minutes.  But sometimes it doesn't at all and the answer is to reboot, connect to the VPN before doing anything else, waiting 1 - 2 minutes, and then trying to access the network resource.

DNS is setup correctly, we have no issues on prem and once the VPN "figures it out" everything works fine.  But it's that initial connect and waiting that's the issues.  Is there any way to reduce this?

Firewall is a XG310 running 19.0 firmware (happened on 18.* series also).  Clients are all Windows 10 Pro with the Connect 2.0 client and IPSec VPN.



This thread was automatically locked due to age.
  • 0

    Hi : To narrow down and to confirm more during live issue time, If you may capture Wireshark PCAP on the end machine which is connected via Sophos connect, PCAP on XG, PCAP on end DNS server (If in house DNS server added in Sophos connect settings on XG) along with TCPDUMP, drop on port 53 over XG and once you have this logs - you may confirm more.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    is there a Security Heartbeat requirement for the firewall rule allowing DNS?

    That could be an indication.

    But I also see some issues regularly with the XG DNS Server in normal operation:

    if you nslookup towards the XG the first lookup may timeout while all following will definetely work.

  • 0

    Can you figure out, if this is a Windows or Firewall issue? 

    Try a packet capture on the firewall, connect via SSLVPN and check if there are DNS Requests or not. If not, the client will likely not consider the firewall for DNS first. 

    serverfault.com/.../vpn-connection-causes-dns-to-use-wrong-dns-server

    __________________________________________________________________________________________________________________

  • 0 in reply to LHerzog

    No security heartbeat on the DNS rule.  With that said do you know how long the time out is? Because what we see is for the first about minute we can't access anything and then it starts working reliably afterward.

  • 0 in reply to LuCar Toni

    Read through that server fault article and while it does make sense I don't think it applies here, it seems the opposite of the issue we're having. In our case it seems like after the VPN is connected DNS resolution is still happening on the user's network with their internet provider router and then after a minute or two it starts going through the VPN connection. I think we might actually try that with some static DNS entries on their equipment just to see how much faster things resolved.

  • 0 in reply to AllanD

    I think Lucar Toni's answer brings you in the right direction. I remember struggling around with this a while ago.

    http://woshub.com/dns-resolution-via-vpn-not-working-windows/

    But playing with metric manually is no fun and may cause other errors.

    I found internal communication where I dumped DNS traffic in VPN on both: the physical NIC or WiFi Adapter and on the Tunnel Adapter.

    You can see, the DNS request goes out on both adapters and the first answer wins and is then used as DNS server.

    In our case, the DNS domain suffix is the same internally and externally. So it could be resolved on the VPN and LAN connection. On the LAN connection means, when aou're remote, that it uses public Internet DNS Servers.

    look for query for SOA of your internal domain.

  • 0 in reply to LHerzog

    also I would install the 2.1 Connect Client on a machine known to have that issue and test if it is resolved. 2.0 Version is even more buggy than the current 2.1.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?