Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 989 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos connect - unidentified network ... again

Marcel Hoffmann

Hi there,

I'd like to talk about an old problem again - the "unidentified network"-problem when using OpenVPN-Tap-Adapters.

Currently I am trying to use sophos connect again and run into the same issue with the network not identifying after connection. That results in a non working DNS for the internal clients. Connections using IP are working. I guess the problems cause is, that we use the same DNS zone internally as externally.

I know about lots of possible solutions by searching for "unidentified network and openvpn or tap adapter like using a bogus route, changing registry keys, using secpol etc but none of them are comfortable, some don't even work for me (e.g. I can't find that registry setting for ndiswan as is does not seem to get used by the new sophos connect client). My windows firewall is disabled.

Currently I have found another "solution" that I do not understand. I just set the setting for adapter metric not to automatic but to 1. Then the adapter gets quickly identified in my test machine, although the internal routes for my connected network still have a higher metric value than the local standard gateway. I also do not know if this will consistently work for other clients and again this just seems to be some kind of workaround than a real explanation.

So can somebody tell me, what really causes this problem and how to get easily over it? 

And if not, why does this metric setting solve the problem? Easiest solution would be currently using powershell:

Get-NetAdapter -InterfaceDescription "Sophos TAP Adapter" | Set-NetIPInterface -InterfaceMetric 1

Nevertheless - this sucks!

Cheers

Marcel



This thread was automatically locked due to age.
Parents
  • 0
    Marcel Hoffmann said:
    the "unidentified network"-problem when using OpenVPN-Tap-Adapters.

    Please post the OpenVPN logs from OpenVPN software as well if you encounter any error or error message encounter with a screenshot too ?

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi,

    there are no errors in the OpenVPN-Log visible. The connection itself works, also the access to resources but DNS to internal resources only works, when I set the interface metric of the tap adapter manually to 1.

    This is obviously an old windows bug and I guess the problem must be when the same DNS zone is used internally and externally (like contoso.com internally and externally instead of contoso.local and contoso.com).

    Regards

    Marcel

  • 0 in reply to Marcel Hoffmann

    This is the cause of the issue:

    https://serverfault.com/questions/84291/how-does-windows-decide-which-dns-server-to-use-when-resolving-names

    On Windows 10 and 11, DNS priority is determined by interface metric - the DNS servers on the interface with the lowest metric value will be used first.

    Really annoying, as the problem could be solved easily, if the Tap adapter would use a lower metric value  by default. But it doesn't. When I don't change the metric manually it sets itself to 35. The build in adapters all have lower values (in my case 25), so DNS does not work properly. If I set the Tap adapter metric to 1 all is fine.

    I guess I have to live with it.

Reply Children
Unfiltered HTML