Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 3081 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLVPN logs no longer showing source IP Address since upgrade from 18.5.4 to 19.0.1

LHerzog

Hey,

since we upgraded from SFOS 18.5.4 to 19.0.1 we can no longer see the source IP a SSL VPN user connected from in the VPN logs.

It simply shows nothing or the LAN IP Address of the Firewall in the SSL VPN IP-Range.

We only see the real source IP if the login is unsuccessful.

So this very important information is not logged currently!

Do you have that already as an Bug ID and when will you fix it?

Regards



This thread was automatically locked due to age.
Parents
  • 0

    We are on 19.5.1 for multiple clients and seeing the private ip address within the dhcp range of the vpn dhcp as the source of the connection.  It is even showing this in the logging going to datalakes.  I don't think this was fixed yet and it really needs to be so our logging is correct.  

  • 0 in reply to JTK

    Hello there,

    Thank you for contacting the Sophos Community.

    If you’re in v19.5 MR1 and you still have the issue, please open a case with support and share the Case ID. Feel free to reference this community post when doing so.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Essentially there are two different events in v19.5 MR1.

    The first one does not show the WAN IP:

    But the second one (Authentication) does show the src_IP





    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I just checked again and every successful authentication I see has no src_ip and the established connections are showing the VPN private subnet IP.  I also checked datalakes and every successful VPN connection doesn't show a locations because all src ips are internal DHCP VPN ips.

  • 0 in reply to LuCar Toni

    unfortunately, after upgrade from 19.5.0 GA-Build197 to 19.5.1 MR-1-Build278 when user fail to login because wrong credential, in logs not show source Ip of attempt 

    2023-03-20 17:29:14Authenticationmessageid="17711" log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Failed" user="aserbanoiu" user_group="" client_used="SSLVPN" auth_mechanism="AD,AD,AD,Local" reason="wrong credentials" src_ip="" message="User name*** failed to login to SSLVPN through AD,AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac=""

  • 0 in reply to Licenses Lasting

    can you please tell if this is already listed as known issue internally? the source IP for failed logins must be logged.

    2023-04-03 16:14:30Authenticationmessageid="17711" log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Failed" user="badboy" user_group="" client_used="SSLVPN" auth_mechanism="Local,AD,AD" reason="wrong credentials" src_ip="" message="User badboy failed to login to SSLVPN through Local,AD,AD authentication mechanism because of wrong credentials" name="" src_mac=""

    Source IP empty.

    Successful login only shows the real remote IP address of a user at Log Component SSL VPN Authentication, not SSL VPN.

  • 0 in reply to LHerzog

    NC-116602

    Logviewer is not showing Src IP field information for the Failed authenticated SSLVPN Users

    This is tracked and will be addressed in a future version (Likely not the next Version V19.5 MR2). 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to LHerzog

    NC-116602

    Logviewer is not showing Src IP field information for the Failed authenticated SSLVPN Users

    This is tracked and will be addressed in a future version (Likely not the next Version V19.5 MR2). 

    __________________________________________________________________________________________________________________

Children
Unfiltered HTML