Thread Info
  • State Verified Answer
  • +10 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 55458 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

vpn ssl and Mac OS High Sierra

Fabien Martinet

Hi to all,

I've setup a vpn ssl config on XG 105 v 17.0.1 MR 1.

Connecting with Tunnelblick 3.7.4b

From El Capitan and High Sierra.

Both machines connect ok (authentication, vpn connected, ping to lan working)

On El capitan I can browse to internal machines web interfaces (Synology, switch, printer) and RDP to Windows server.

On High sierra only RDP is working. All web connections fail. In the Sophos log viewer (firewall part) I can see the connection accepted, then right after another connection denied on rule 0 reason : Could not associate packet to any connection.

Any idea ?

Thks a lot



This thread was automatically locked due to age.
  • 0

    I have good news and bad news.

    The good news: I have the exact same problem!

    The bad news: I have the exact same problem!

    The VPN works fine on Windows and on Mac OSX Sierra.

    On Mac OSX High Sierra with Tunnelblick 3.7.5beta05 I see the same problem as Fabien. The VPN connection comes up, and I can ping anything I like.

    I did discover that I can't ping more than 290 bytes per packet. For example, pinging our DNS server over the VPN at 290 bytes works:

    ping -D -s 290 192.168.1.5

    But change to 291 bytes and it fails.

    ping -D -s 291 192.168.1.5

    I've tried a manual edit of the client VPN config to add an mssfix command, but that doesn't seem to have any effect.

    All internal web sites and file shares just hang. The OpenVPN client for Windows works fine. This is a High Sierra vs. OpenVPN issue I think. Maybe RDP works, due to requiring smaller packets than the typical 1400 bytes. 

    What's weird is the connection comes up working fine according to the debug logs, and then ends up not moving packets larger than 384 bytes to the VPN server just a minute or two later.

  • 0

    I've tried with another VN client (Viscosity) : same error.

    I've also tried to connect on an older Sophos (SG115 UTM9) : it's working perfectly with High Sierra

    So the problem seems to be between High Sierra and Sophos XG v17.

    Anybody with an XG model not using v17 to have a try ?

  • 0

    I also have this same issue. Exact same symptoms. Hopefully someone here has an answer because I need to get my client the ability to connect to his web interfaces from his Mac at home.

     

  • 0 in reply to Fabien Martinet

    Short: Ran a test; XG SFOS version likely doesn't matter.

     

    Long:

     

    I feel that my duty calls to run the test for you as I have the stuff needed, and I feel the pain of a fellow user in need. I dug out my iMac which I'm not using and started her up.

     

    MacOS High Sierra 10.13.1 - iMac

    XG running 16.05.8 MR8

     

    I installed Tunnelblick (3.7.4b stable) to also help OP as much as possible during my test, but seems like it won't matter which client I used. After failure, I tried their beta 3.7.5beta05. 

    End result always the same; I can ping resources on remote network, however, cannot get to web page.

  • 0 in reply to apalm123

    I'd also like to add that I have a sonicwall SSL VPN that I've used before, and connecting from high sierra works just fine. Even http access internally. But I don't know what Sonicwall uses, they have a proprietary VPN client on the app store that I am using. So something that Apple changed isn't compatible with Sophos XG's implementation. Plus you mentioned that your UTM works fine.

  • 0 in reply to apalm123

    Some news.

    I've opened a ticket with Sophos support. Strange issue : they cannot reproduce the error. XG125w, 17.03, High Sierra : ping -D -s 291 works fine.

    I give support access to one of my boxes and the error appears.

    Now it's on next support level, waiting for news.

    I've done some tests with XG 105, 115 and 125 : all the same. 

  • 0

    I have someone who uses OpenSSL on High Sierra to connect to a different brand firewall with no issue. No issues opening up web interfaces over the VPN. So it is definitely limited to a Sophos thing it appears.

     

    I also opened up a ticket with Sophos and linked this thread in my ticket. So far the only reply I have gotten is links to basic set up guides for SSL VPN and Macs. Hopefully the tech can help me troubleshoot this issue further because it seems to be a little more common than I initially thought. 


    Edit:

    Also, I, like someone else mentioned above, use my Mac OSX High Sierra to connect to a Sophos UTM using Tunnelblick with no issue whatsoever. It's definitely isolated to just the XG.

  • 0 in reply to Devan Ito

    Hi,

    I've got confirmation from Sophos lvl 2 support that it's a bug.

    Now to dev team for patching. I hope it will be ok in next version.

     

    See you

  • +9

    Hi,

     

    There is a workaround, i have the same problem with http/https connection to switches from my mac os high sierra. In tunnelblick change the Open ssl version (see picture) and all works without problem, all http https connections ar working.