SSL VPN ISSUE Version - SFOS 19.0.1 MR-1-Build365

Hi NOC F1SOFT,

Thank you for reaching out to Sophos Community,

Is the network outside the Sophos allowed on the "allowed Network" settings

Have you allowed it also on LAN-VPN /VPN - LAN FW Rule?

Can you do a packet capture where the traffic stops or drop?

Access is allowed because if i disconnect and reconnecting vpn connectivity will be fine, while doing packet capture at the time of issue, it say 

Status = Violation, reason = Firewall, rule id = 0, Nat ID = 0.

Hi,

Have you put the LAN -VPN /VPN -LAN  on top of the FW Policy 

Is your client Network the same as in Sophos? 

Kindly check this KB if they have an overlapping network 

community.sophos.com/.../ssl-vpn-access-for-overlapping-home-networks

Hello Erick

All access control policy is fine. Suppose i connect ssl vpn right now and if i access outside network its working fine, but after some time the connection get lost and if i disconnect and again reconnect VPN it will work fine.

There is no any overlapping Network as our company is using SSL VPN from the day Covid started. This type of issue started few months ago

Hey NOC F1SOFT ,

Check the changes with the SSL VPN - SSL VPN "IPv4 lease range" changes OR global settings update gives error "You must enter a network IP address." in SFOS v19.

And also check the FW rule if the correct source network is mentioned !

Hello Vivek 

This changes have already applied and my issue is, my outside network(IP address) will disconnect , vpn connection is fine. ALL ip address that are in sophos interface and server that are in same network as of sophos interface are reachable but network (ip) that are not in sophos interface are not reachable at the time of issue.

Hello Vivek 

This changes have already applied and my issue is, my outside network(IP address) will disconnect , vpn connection is fine. ALL ip address that are in sophos interface and server that are in same network as of sophos interface are reachable but network (ip) that are not in sophos interface are not reachable at the time of issue and at the same time if i access external resource with ip address that is assigned in sophos interface it will work fine.

Hi NOC F1SOFT,

Apologies for the confusion.

So the Issue is you're able to connect, but then suddenly, the access is lost while you're still connected to the VPN.

And the only solution that is working is to disconnect and reconnect. is that right?

Were any changes made before the issue started? 

Can you share the logs from the clients while the issue is occurring?

Any KB's followed for troubleshooting?

Do you have a case# that we can check? I would recommend creating one so that the Support can thoroughly check this issue via remote.

So the Issue is you're able to connect, but then suddenly, the access is lost while you're still connected to the VPN.

And the only solution that is working is to disconnect and reconnect. is that right?

No any changes made

This is correct Erick

But the main issue is, VPN is connected and i am able to ping IP address that are in Sophos Firewall itself, there is no any problem on that, but the only problem is i will be unable to ping any ip address that are outside of sophos firewall. VPN dont get disconnect and client can ping ip address that are set in sophos firewall, network that are outside of sophos device are only unreachable. This issue get resolve only after disconnecting and again reconnecting ssl client

Let me make you clear with image.

Hi,

From the FW, do you have any FW policy allowing the VPN to access the Unreachable sites( network that are outside of sophos device are only unreachable)?

Will wait for the image .also,kindly share the screenshot of the policy and logs, if possible.

Hi,

From the FW, do you have any FW policy allowing the VPN to access the Unreachable sites( network that are outside of sophos device are only unreachable)?

Will wait for the image .also,kindly share the screenshot of the policy and logs, if possible.

Hello there,

What do you mean by networks outside of Sophos Firewall? (Public Networks or networks that connect to the Firewall via another Firewall/VPN (IPsec)?

Suppose the issue gets resolved after disconnecting and reconnecting. In that case, you’ll need to compare via a GUI Pcap what Firewall rule is being hit when the connection is working properly and what rule is being hit when it stops working, same as doing a drop packet capture from the Advanced Shell of the Sophos Firewall.

How is the SSL VPN configured currently as a Split tunnel or "Use as Default Gateway"?

Clarify what IP the SSL VPN client is getting. You'll get routing issues if you’re using an overlapping IP with a subnet in the Firewall.

Regards,

What do you mean by networks outside of Sophos Firewall? (Public Networks or networks that connect to the Firewall via another Firewall/VPN (IPsec)?

Ans - Private Network that connect Firewall via another Firewall.

How is the SSL VPN configured currently as a Split tunnel or "Use as Default Gateway"?

Ans - Split Tunnel

Clarify what IP the SSL VPN client is getting. You'll get routing issues if you’re using an overlapping IP with a subnet in the Firewall.

Ans - Client is getting 10.30.222.0/24 Network and this ip is not used in any interface in sophos firewall.

Now let me make my issue clear.

SSL vpn client (user1) connect ssl vpn and it will get ip address 10.30.222.10,  route will install  in client pc as 10.0.0.0/8 gateway 10.30.222.1. Now client can ping 10.11.11.1, 10.11.11.2, 10.12.11.1, 10.14.11.1,10.14.11.2. There is no any problem in any connection. Now after some time client suddenly cannot ping 10.12.11.2,10.14.11.1,10.14.11.2 but at the same time client can ping 10.11.11.1,10.12.11.1,10.11.11.2. This is the issue client is facing. This issue will get resolve if user disconnect ssl vpn and again reconnect and use it.

And i have done some troubleshot from my side.

At the time of issue. Vpn client is unable to ping network that is define in Fortigate Firewall but if i ping from sophos box (by taking source as 10.12.11.1) it can ping all IP address that are mentioned in fortigate Firewall. but ssl user client cant ping those IP address that are in Fortigate firewall.

My ACL and route entry in sophos Firewall is correct.

I thing i make my scenario and issue clear.

This issue occur at any time on any client. we have at least 500 SSL vpn user so it making day to day work difficult.

Kindly guide me to right direction so that i can fix this issue.