Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 527 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Only Blocking inbound Communication

Yogi_Bear_79

XGS4500 (SFOS 19.0.1 MR-1-Build365)

Our SSL VPN stopped allowing two-way communications. We can ping the VPN Client IP from inside the network. Once the client connects, the client cannot communicate to anything (full tunnel). NSLOOKUP, PING, etc.

No rules have changed, all was working previously as expected.

In some circumstance the user can disconnect/reconnect and then they are fine. 

We first noticed the issue on 09.06.2022. On 09.07.2022 we restarted the VPN services, this seemed to remedy the situation, but it was not fixed for all clients. And some reverted to broken again.

on 09.08.2022 we updated the firmware hoping to resolve the issue. The issues still persists, and now iPAD VPN clients have the same problem.

A packet capture shows:

A inbound DNS Request from VPN Client to Domain Controller then it says violation firewall

Nothing reflected in any logs that corresponds to that violation..

The only other clue is in the Authentication log:

User failed to login to Firewall through AD,AD,Local authentication mechanism because of wrong credentials

This is related the Heartbeat.

 



This thread was automatically locked due to age.
  • 0

    I believe my problem was related to this article:

    community.sophos.com/.../ssl-vpn-ipv4-lease-range-changes-in-sfos-v19

    We originally upgraded from V18.x to 19.x roughly 80 days ago. We had not noticed the issue, however users may have been self-rectifying, by disconnecting
    and reconnecting.

    My original SSL VPN Range was 10.21.0.1 - 10.21.0.63, the v19 upgrade apparently changed it to 10.21.0.1/24. However it did not also change my IP HOST VPN SSL (ipV4) which was still 10.21.0.0/26

    So, whenever the VPN DHCP gave out an address from 10.21.0.64 - 10.21.0.254 the firewall didn't recognize that range and ignored it.

  • 0 in reply to Yogi_Bear_79

    Yes this change is actually something, we had to do for the broader support of bigger SSLVPN ranges. There are some installations (like yours) which comes with a extra change, you have to do to get this working. 

    __________________________________________________________________________________________________________________

Unfiltered HTML