Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 28 replies
  • Subscribers 30 subscribers
  • Views 22018 views
  • Users 0 members are here
Options
Suggested

SSL VPN "IPv4 lease range" changes OR global settings update gives error "You must enter a network IP address." in SFOS v19.

Alok

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Hello Community,

This Recommended Read goes over recent changes made in SFOS v19 related to SSL VPN IPv4

What is the change in SFOS v19 related to SSLVPN IPv4 lease? 

SFOS v19 improves supported SSLVPN concurrent tunnels by 4-5x. 

As a result, there is a change in the configuration of SSLVPN IPv4 lease range. SFOS v19 uses IP subnet value, however, earlier versions used IP range and subnet. 

 Migration will convert the IP range and subnet config from old versions to subnet value in v19. 

 SSLVPN Global config: 

 

Admin has to update IP lease range from IP address to subnet once after migration to avoid error like "You must enter a network IP address." on global settings update.

Am I impacted due to the change? What issue I may face? 

On upgrading to SFOS v19, some users may notice that SSL VPN is connecting but resources are not accessible over SSLVPN for the following conditions: 

  • If you are using SSLVPN prior to v19 version, and 
  • If you have allowed access of SSLVPN users using IP host object of limited range (same as SSLVPN global settings) in firewall rule. 

As v19 changes the limited IPv4 lease range to the larger subnet, users who have got the IP addresses outside the limited range will be restricted by Firewall rule to access the resources. 

How to resolve this issue? 

Update the IP host object of limited range to a;sp include the new IP range (subnet). 

Alternatively, you can start using system host available for SSLVPN IPv4 lease ##ALL_SSLVPN_RW. 

More details on How to configure remote access SSL VPN with Sophos Connect client.



Updated Disclaimer
[edited by: Erick Jan at 1:39 PM (GMT -7) on 17 Apr 2023]

  • I had this exact situation - where after the V19 upgrade, there were sporadic issues where Sophos Connect (using SSL VPN) would connect but not route traffic properly. The root cause was definitely due to the client endpoint range being converted IMPROPERLY from a range to a CIDR.

    Definitely ensure that post V19 upgrade you change the SSL VPN ip address pool from a range to a network... CONFIGURE > Remote access VPN, then click the SSL VPN tab, then click the "SSL VPN global settings" link in the upper left. In the "Assign IPv4 addresses" section, be sure the address space is showing in proper CIDR network notation. For me post upgrade, it showed 10.81.234.20/24. I had to change it to 10.81.234.0/24. After which, users needed to manually disconnect/reconnect, and then the problem was completely resolved. Also be sure any firewall rules you have reference the whole network and not a range - that was also a problem for me to correct.

    I think this is something that could have been handled during the upgrade automatically with a user prompt or something.

  • in reply to Gurtej Sangha

    Hi Gurtej,

    We tried this internally and its working fine. We tried in multi-instance setup following is working, despite user landing on any instance. 

    a. DNS IP used was tun0 interface IP 

    b. DNS IP used was tun1 interface IP 

    c. DNS IP used was LAN interface IP 

    Please check "drop pkt", local ACL, permitted network settings. 

    In case still it's failing please raise support case.

    -Alok

  • in reply to Tony Atkins1

    Hi Tony,

    I had similar issue but mine was resolved by changing the SSLVPN range on the VPN rule.
    But I am curious about your statement about having to change the last octet from .20 to .0
    Both addresses in a /24 subnet will result in a .1 thru .254 address range with a network address of .0 and broadcast of .255
    So I don't see how changing that resolved your issue.  Did you also change the SSLVPN range on your VPN rule at the same time and that was possibly the answer?

  • But in my case the "System Host" shows Address Details as NA and it doesn't allow to edit it too. So is there another way of editing these records?

  • in reply to Mayuresh Bhagwat

    Hi Mayuresh, System hosts are non-editable. But when you will update the IP lease range on SSLVPN global configuration page, it will be automatically updated to accommodate same.

  • in reply to Alok

    It didn't allow us to save any changes to the IP or the lease. Nevermind, I got up with support and the agent enabled remote support and changed something from the background to resolve this.

  • in reply to Mayuresh Bhagwat

    When you update IP lease range it will automatically update system host value internally, no need to manually update for system hosts.


    Thanks for the update. 

  • in reply to Alok

    I agree and understand, however, I showcased this to support team too that if I try changing the value for "Assign IPv4 address" and then click save, it used to throw the error "You must enter a network IP address". Only once the support team made changes from the backend were we able to save the changes.

Unfiltered HTML