Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 3 answers
  • Subscribers 28 subscribers
  • Views 560 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assigning static ip to SSL VPN users results in Authentication failed when switching networks

Lars Holte

Just upgraded from 19.5.0 GA-Build197 to 19.5.1 MR-1-Build278 in hopes that this would be resolved.

The issue is mobile phones are unable to reconnect the SSL VPN when they roam between different networks, eg from a local wifi to mobile isp and vice versa.
This only happens if the user is assigned a static ip.
If i force disconnect the connection in Current activities -> Remote users, the user is able to connect again immediately.

If i remove the static assigned ip from the user, the user can roam ok between different networks and the Current activites -> Remote users now shows the user with more than one connection (with different source ip's).

My Ip/networks are:
192.168.88.0/24 - LAN
192.168.99.0/24 - SSL VPN
192.168.99.128/25 - SSL VPN Static ip range
192.168.99.130 - User assigned ip

The error and log on the phone:
Mobile error and log

SSLVPN global policy:
SSLVPN Global policy

SSLVPN policy:
SSL VPN policy

A user:
User

After the upgrade to the latest version there are now logs of these failures:


Is there any way to fix this, or is this a bug?



This thread was automatically locked due to age.
Parents
  • 0

    This seems to be related to this Bug: 

    NC-101947 SSLVPN:Static IP, with UDP, 2nd attempt of tunnel establishment auth_fails as ip address is not released when previous tunnel is disconnected

    Workaround could be to move to TCP instead UDP. This would mean to roll out SSLVPN again. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you for that find. I checked the Sophos Known Issues list before posting and i did not see that bug, and i still dont see that after selecting "Sophos Firewall". Where did you find the NC-101947?

    Unfortunately TCP has the same issue. Log also reports the same "User [username] failed to login to SSLVPN through Local authentication mechanism because of ip lease failed"

    I will remove the static ip's for now and wait for a fix.

  • 0 in reply to Lars Holte

    Hi Lars,

    It's missing in KIL and will get it updated soon. If you are facing issues with TCP as well. I will suggest to open support investigation ticket.

    Let us know the case ID and will track it from my end.

    -Alok

Reply Children
No Data
Unfiltered HTML