This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Resolution slow using Connect 2.0 and IPSec VPN connection

We have a ongoing issue with Sophos Connect 2.0 and IPSec VPN connections where DNS resolution is extremely slow at first and sometimes never resolves itself. For example a user connects to the VPN and then tries to open a network drive then gets a error as it can't find the server. Or a app that relies on our SQL server doesn't work because it cant resolve the server address.

Sometimes the issue resolves itself after a few minutes. But sometimes it doesn't at all and the answer is to reboot, connect to the VPN before doing anything else, waiting 1 - 2 minutes, and then trying to access the network resource.

DNS is setup correctly, we have no issues on prem and once the VPN "figures it out" everything works fine. But it's that initial connect and waiting that's the issues. Is there any way to reduce this?

Firewall is a XG310 running 19.0 firmware (happened on 18.* series also). Clients are all Windows 10 Pro with the Connect 2.0 client and IPSec VPN.

This thread was automatically locked due to age.

Parents

0 Vishal_R over 3 years ago

Hi AllanD : To narrow down and to confirm more during live issue time, If you may capture Wireshark PCAP on the end machine which is connected via Sophos connect, PCAP on XG, PCAP on end DNS server (If in house DNS server added in Sophos connect settings on XG) along with TCPDUMP, drop on port 53 over XG and once you have this logs - you may confirm more.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vishal_R over 3 years ago

Hi AllanD : To narrow down and to confirm more during live issue time, If you may capture Wireshark PCAP on the end machine which is connected via Sophos connect, PCAP on XG, PCAP on end DNS server (If in house DNS server added in Sophos connect settings on XG) along with TCPDUMP, drop on port 53 over XG and once you have this logs - you may confirm more.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LHerzog over 3 years ago in reply to Vishal_R

is there a Security Heartbeat requirement for the firewall rule allowing DNS?

That could be an indication.

But I also see some issues regularly with the XG DNS Server in normal operation:

if you nslookup towards the XG the first lookup may timeout while all following will definetely work.
Cancel
Vote Up 0 Vote Down

Cancel
0 AllanD over 3 years ago in reply to LHerzog

No security heartbeat on the DNS rule. With that said do you know how long the time out is? Because what we see is for the first about minute we can't access anything and then it starts working reliably afterward.
Cancel
Vote Up 0 Vote Down

Cancel

DNS Resolution slow using Connect 2.0 and IPSec VPN connection

Submitted a Tech Support Case lately from the Support Portal?