SSL VPN ISSUE Version - SFOS 19.0.1 MR-1-Build365

Hi NOC F1SOFT,

Thank you for reaching out to Sophos Community,

Is the network outside the Sophos allowed on the "allowed Network" settings

Have you allowed it also on LAN-VPN /VPN - LAN FW Rule?

Can you do a packet capture where the traffic stops or drop?

Access is allowed because if i disconnect and reconnecting vpn connectivity will be fine, while doing packet capture at the time of issue, it say 

Status = Violation, reason = Firewall, rule id = 0, Nat ID = 0.

There is no any overlapping Network as our company is using SSL VPN from the day Covid started. This type of issue started few months ago

Hey NOC F1SOFT ,

Check the changes with the SSL VPN - SSL VPN "IPv4 lease range" changes OR global settings update gives error "You must enter a network IP address." in SFOS v19.

And also check the FW rule if the correct source network is mentioned !

Hello Vivek 

This changes have already applied and my issue is, my outside network(IP address) will disconnect , vpn connection is fine. ALL ip address that are in sophos interface and server that are in same network as of sophos interface are reachable but network (ip) that are not in sophos interface are not reachable at the time of issue.

Hello Vivek 

This changes have already applied and my issue is, my outside network(IP address) will disconnect , vpn connection is fine. ALL ip address that are in sophos interface and server that are in same network as of sophos interface are reachable but network (ip) that are not in sophos interface are not reachable at the time of issue and at the same time if i access external resource with ip address that is assigned in sophos interface it will work fine.

Hi NOC F1SOFT,

Apologies for the confusion.

So the Issue is you're able to connect, but then suddenly, the access is lost while you're still connected to the VPN.

And the only solution that is working is to disconnect and reconnect. is that right?

Were any changes made before the issue started? 

Can you share the logs from the clients while the issue is occurring?

Any KB's followed for troubleshooting?

Do you have a case# that we can check? I would recommend creating one so that the Support can thoroughly check this issue via remote.

So the Issue is you're able to connect, but then suddenly, the access is lost while you're still connected to the VPN.

And the only solution that is working is to disconnect and reconnect. is that right?

No any changes made

This is correct Erick

But the main issue is, VPN is connected and i am able to ping IP address that are in Sophos Firewall itself, there is no any problem on that, but the only problem is i will be unable to ping any ip address that are outside of sophos firewall. VPN dont get disconnect and client can ping ip address that are set in sophos firewall, network that are outside of sophos device are only unreachable. This issue get resolve only after disconnecting and again reconnecting ssl client

Let me make you clear with image.

Hi,

From the FW, do you have any FW policy allowing the VPN to access the Unreachable sites( network that are outside of sophos device are only unreachable)?

Will wait for the image .also,kindly share the screenshot of the policy and logs, if possible.

Hello there,

What do you mean by networks outside of Sophos Firewall? (Public Networks or networks that connect to the Firewall via another Firewall/VPN (IPsec)?

Suppose the issue gets resolved after disconnecting and reconnecting. In that case, you’ll need to compare via a GUI Pcap what Firewall rule is being hit when the connection is working properly and what rule is being hit when it stops working, same as doing a drop packet capture from the Advanced Shell of the Sophos Firewall.

How is the SSL VPN configured currently as a Split tunnel or "Use as Default Gateway"?

Clarify what IP the SSL VPN client is getting. You'll get routing issues if you’re using an overlapping IP with a subnet in the Firewall.

Regards,

What do you mean by networks outside of Sophos Firewall? (Public Networks or networks that connect to the Firewall via another Firewall/VPN (IPsec)?

Ans - Private Network that connect Firewall via another Firewall.

How is the SSL VPN configured currently as a Split tunnel or "Use as Default Gateway"?

Ans - Split Tunnel

Clarify what IP the SSL VPN client is getting. You'll get routing issues if you’re using an overlapping IP with a subnet in the Firewall.

Ans - Client is getting 10.30.222.0/24 Network and this ip is not used in any interface in sophos firewall.

What do you mean by networks outside of Sophos Firewall? (Public Networks or networks that connect to the Firewall via another Firewall/VPN (IPsec)?

Ans - Private Network that connect Firewall via another Firewall.

How is the SSL VPN configured currently as a Split tunnel or "Use as Default Gateway"?

Ans - Split Tunnel

Clarify what IP the SSL VPN client is getting. You'll get routing issues if you’re using an overlapping IP with a subnet in the Firewall.

Ans - Client is getting 10.30.222.0/24 Network and this ip is not used in any interface in sophos firewall.