Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1698 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN ISSUE Version - SFOS 19.0.1 MR-1-Build365

NOC F1SOFT

SSL VPN ISSUE Version - SFOS 19.0.1 MR-1-Build365

VPN is connected but Issue faced.

1 . SSL VPN Gateway Is reachable.
2 .Network that are in sophos Firewall are reachable
(Port-1 -- 192.168.100.1/24 -- Server = 192.168.100.10/24) Interface IP address and server IP address
of Same nettwork is reachable.
3. Network that are not is sophos firewall and are in remote location are not reachable.
4. route entry on client laptop is fine.
5. From Sophos(Port-2) to Fortigate(Port) Directly connected with IP 192.168.101.1/24 on sophos and 192.168.101.2/24
on fortigate from sophos 192.168.101.2 is reachable but from SSL VPN client 192.168.101.2 is not reachable.

6. From Sophos interface IP all outside network are reachable but from SSL client same ip is not reachable.

7. nabil.lamichhane user of ssl client is connected to pc1 and having above problem at the same time if same user
connect ssl vpn from pc2 and try to reach above ip then its working fine.

This type of problem occur randomly in any client/pc at any time.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Vivek Jagad

    Hello Vivek 

    This changes have already applied and my issue is, my outside network(IP address) will disconnect , vpn connection is fine. ALL ip address that are in sophos interface and server that are in same network as of sophos interface are reachable but network (ip) that are not in sophos interface are not reachable at the time of issue.

  • 0 in reply to NOC F1SOFT

    Hello Vivek 

    This changes have already applied and my issue is, my outside network(IP address) will disconnect , vpn connection is fine. ALL ip address that are in sophos interface and server that are in same network as of sophos interface are reachable but network (ip) that are not in sophos interface are not reachable at the time of issue and at the same time if i access external resource with ip address that is assigned in sophos interface it will work fine.

  • 0 in reply to NOC F1SOFT

    Hi NOC F1SOFT,

    Apologies for the confusion.

    So the Issue is you're able to connect, but then suddenly, the access is lost while you're still connected to the VPN.

    And the only solution that is working is to disconnect and reconnect. is that right?

    Were any changes made before the issue started? 

    Can you share the logs from the clients while the issue is occurring?

    Any KB's followed for troubleshooting?

    Do you have a case# that we can check? I would recommend creating one so that the Support can thoroughly check this issue via remote.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    So the Issue is you're able to connect, but then suddenly, the access is lost while you're still connected to the VPN.

    And the only solution that is working is to disconnect and reconnect. is that right?

    No any changes made

    This is correct Erick

    But the main issue is, VPN is connected and i am able to ping IP address that are in Sophos Firewall itself, there is no any problem on that, but the only problem is i will be unable to ping any ip address that are outside of sophos firewall. VPN dont get disconnect and client can ping ip address that are set in sophos firewall, network that are outside of sophos device are only unreachable. This issue get resolve only after disconnecting and again reconnecting ssl client

  • 0 in reply to Erick Jan

    Let me make you clear with image.

  • 0 in reply to NOC F1SOFT

    Hi,

    From the FW, do you have any FW policy allowing the VPN to access the Unreachable sites( network that are outside of sophos device are only unreachable)?

    Will wait for the image .also,kindly share the screenshot of the policy and logs, if possible.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Hello there,

    What do you mean by networks outside of Sophos Firewall? (Public Networks or networks that connect to the Firewall via another Firewall/VPN (IPsec)?

    Suppose the issue gets resolved after disconnecting and reconnecting. In that case, you’ll need to compare via a GUI Pcap what Firewall rule is being hit when the connection is working properly and what rule is being hit when it stops working, same as doing a drop packet capture from the Advanced Shell of the Sophos Firewall.

    How is the SSL VPN configured currently as a Split tunnel or "Use as Default Gateway"?

    Clarify what IP the SSL VPN client is getting. You'll get routing issues if you’re using an overlapping IP with a subnet in the Firewall.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    What do you mean by networks outside of Sophos Firewall? (Public Networks or networks that connect to the Firewall via another Firewall/VPN (IPsec)?

    Ans - Private Network that connect Firewall via another Firewall.

    How is the SSL VPN configured currently as a Split tunnel or "Use as Default Gateway"?

    Ans - Split Tunnel

    Clarify what IP the SSL VPN client is getting. You'll get routing issues if you’re using an overlapping IP with a subnet in the Firewall.

    Ans - Client is getting 10.30.222.0/24 Network and this ip is not used in any interface in sophos firewall.

  • 0 in reply to Erick Jan

    Now let me make my issue clear.

    SSL vpn client (user1) connect ssl vpn and it will get ip address 10.30.222.10,  route will install  in client pc as 10.0.0.0/8 gateway 10.30.222.1. Now client can ping 10.11.11.1, 10.11.11.2, 10.12.11.1, 10.14.11.1,10.14.11.2. There is no any problem in any connection. Now after some time client suddenly cannot ping 10.12.11.2,10.14.11.1,10.14.11.2 but at the same time client can ping 10.11.11.1,10.12.11.1,10.11.11.2. This is the issue client is facing. This issue will get resolve if user disconnect ssl vpn and again reconnect and use it.

    And i have done some troubleshot from my side.

    At the time of issue. Vpn client is unable to ping network that is define in Fortigate Firewall but if i ping from sophos box (by taking source as 10.12.11.1) it can ping all IP address that are mentioned in fortigate Firewall. but ssl user client cant ping those IP address that are in Fortigate firewall.

    My ACL and route entry in sophos Firewall is correct.

    I thing i make my scenario and issue clear.

    This issue occur at any time on any client. we have at least 500 SSL vpn user so it making day to day work difficult.

    Kindly guide me to right direction so that i can fix this issue. 

Unfiltered HTML