Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 9697 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Since upgrading to 9.353-4, I can no longer connect to a PPTP VPN at our remote location (running on Cisco ASA)

AlastairFerguson

I have an isolated environment which can only be accessed by PPTP through a Cisco ASA to Windows RRAS server and ONLY from our external IP address so it is not publicly accessible. I updated the Sophos firmware on Saturday and it stopped working on Monday when I next tried. As we have no outgoing restrictions (ie. internal network > ANY > Internet IPv4 and IPv6)  I assumed it must have been the secure environment and spent many hours rebuilding it to no avail. Then I tried allowing VPN from anywhere rather than just my company Sophos firewall's external IP address and I used my phone as a hotspot and connected with my computer straight away which means it MUST be the Sophos firewall and as it worked last week I can only conclude that it MUST have been the new software update I applied on the weekend.

I have tried stopping IPS, ATP and everything else I can think of, then adding an exception and turning back on but to no avail. I have added specific rules to the environment allowing any but no luck. 

There is nothing in the IPS or IPSEC logs. In the firewall log it connects on 1723 and then has about 10 packets trying to negotiate to GRE and then times out so I assume GRE negotiation is the problem. I have added a special rule allowing GRE to this network but it makes no difference.

Any help gratefully received.



This thread was automatically locked due to age.
Parents
  • 0
    I have exactly the same problem. Started after upgrade to 9.353-4. The GRE inbound packets from the remote PPTP server are dropped at the firewall external address. Almost like connection tracking is not working for GRE any longer. Need a fix for this fast or will need to reimage firewall and revert to prior version.
  • 0 in reply to GrahamHollis
    I fixed it. Go to firewall > Advanced > Connection Tracking Helpers and check PPTP and then it works.
  • 0 in reply to AlastairFerguson
    I went ahead and reinstalled/downgraded the firewall to 9.351-3 and my PPTP connections started working again. I've just checked on webadmin and I do not have that box checked, so this is a change in behavior that was introduced in 9.353-4. I knew it had to be something to do with connection tracking as the GRE packets were been rejected from the external address. Now that you've found the answer, I'll go ahead and upgrade again. Thanks for posting the solution.
  • 0 in reply to AlastairFerguson
    I've just upgraded to 9.353-4 and am still having a problem with PPTP connections not working. The error without the PPTP connection tracking helper checked is 619 but this changes to error 800 with the helper checked. The GRE packets are no longer being rejected at the external address the the tunnel will not establish. Oh well, I need to reinstall and downgrade the UTM yet again. With any version of UTM prior to 9.353-4, PPTP works without a problem.
Reply
  • 0 in reply to AlastairFerguson
    I've just upgraded to 9.353-4 and am still having a problem with PPTP connections not working. The error without the PPTP connection tracking helper checked is 619 but this changes to error 800 with the helper checked. The GRE packets are no longer being rejected at the external address the the tunnel will not establish. Oh well, I need to reinstall and downgrade the UTM yet again. With any version of UTM prior to 9.353-4, PPTP works without a problem.
Children
No Data