SSL VPN "IPv4 lease range" changes OR global settings update gives error "You must enter a network IP address." in SFOS v19.

how can changing DHCP scope from range to mask only improve SSL VPN performance??

Alok said:

 Migration will convert the IP range and subnet config from old versions to subnet value in v19. 

you write, it will migrate based range AND subnet

what will happen to a V18 DHCP Server with lets say 192.168.1.5-192.168.1.10 Mask 255.255.255.224 (/27)

in v19

it could be 192.168.1.0/28

or 192.168.1.0/27

Why is this not mentioned in Release notes?? https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.0

It's not mentioned that Range has been removed. There is only written that something has been added.

Other enhancements

• DHCP: Added DHCP IPv4 options and boot server configuration on the web admin console.

Prior to v19 also we use to take subnet mask as input along with IP lease range, which will be used during migration. We are not going to convert range into subnet during migration. 

thank you for that extra screenshot. do you think, it would be helpful to add this to release notes?

Yes, it's getting updated as we speak.

Thanks!!

Why is it that /24 is the smallest network that this supports now? I actually need to insure that my clients do not exceed the /27 on assignment as they are accessing a network that restricts us to that /27.

Just to provide more context around why we brought this changes in, from v19 to improve scale and performance we have made SSLVPN multi-instance up to 8 depends upon no of CPUs. With this changes each instance will create “tun” interface and it will require individual subnet to handle traffic distribution and routing internally. To avoid the user input complexity  we do slicing of subnet internally from the configured IP value.

 In case if you have 192.168.0.0/27 configured in v18.5 and migrates to 8 instance config in v19,  it won’t have much usable hosts as below:

Hope this helps.

so in this scenario you'll lose up to 50% of the available IPs, and when you count them in the DHCP leases on XG, you'll find yourself with 16 IPs leased while you configured a range with 32 IPs.

Sound's like a nightmare to debug.

where is that doc change you were mentioning above? I could not find it in the interactive release notes today.

We are talking about "smallest" Network. If you are concern about the range, you can pump this value up to higher values without no problem. And DHCP works not like that in SSLVPN. Essentially SSLVPN works with Pools, you can see here. Not with DHCP Lease Ranges. See Documentation of OpenVPN. 

After updating to version 19, VPN users are not able to resolve internal host names. Do we need to make any configuration changes?

I know work around is updating DNS server under Global VPN setting to our Onsite DNS server but before upgrading to version 19, DNS server for vpn users was IP of SSL VPN Server and it stopped resolving hostnames after update.

can you check if SSLVPN server IP is used on tun interface or not in CLI by running "ifconfig"? and which IP was used for SSLVPN server in your setup??