Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 19925 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN Troubles with DNS Cache

BerndFeist
@All,
we are using OpenVPN clients 2.3.8 downloaded from the Sophos user portal on windows 7 computers.

Our internal an external domain suffixes are the same: companyname.net

On some PCs we have the problem that the negative cache is not cleared when establishing an OpenVPN connection against our Sophos SSL-VPN connection. This leads to unreachability of some servers because the Explorer, CitrixClient, .... already did try to reach the servers before the connection was established and there is an entry in the negative cache.

I already did some "research":

- A ipconfig /flushdns on the commandline works if the user has the correct rights (local administrator) which is usually not the case and besides that it produces to much effort to do this everytime the users are logging in.

- If you start openvpn-gui.exe and openvpn.exe as an administrator in compatibility mode you need to enter the administrative credentials each time you login (because of the autostart of openvpn-gui.exe). This is also too much effort for the users and not all of them know the login/password combination of an local administrative account.

- Furthermore there is an registry key Key MaxNegativeCacheTtl which disables the mechanism but has some negative side effects and is different to implement on 200-300 Laptops of users without administrative rights.

There are Clients with 2.3.0 (installed last year) which seem to behave slightly different. The problem is also not 100% reproducible. I have not seen the problem on our few Windows 10 clients so far. I did not test the current OpenVPN version 2.3.11 because the offical downloadable version on the Firewall of Sophos with the latest firmware is 2.3.8 and our procedure for the installation relies on the download of the config files and client from sophos user portal.

Is there a supported way to start with a clean negative cache after establishing VPN connections without having administrative rights? For which versions of the OpenVPN clients ist this working? Do we need a newer version than the one supported by the user portal with current Firmware?

Thanks
Bernd

   



This thread was automatically locked due to age.
Parents
  • 0

    I am having the same issue on my UTM 9 firmware 9.405-5. I have confirmed my internal DNS IP is listed under Remote Access > Advanced. I have confirmed my internal IP DNS works internally. Users cannot connect to shared drives after they connect to the VPN. I can't ping the server name either. I can ping the server IP address fine and can access map drives by IP but not server name.

    I also have 'VPN Pool (SSL)' under Network Services > DNS > Global > Allowed Networks. I have also tried 'ipconfig /flushdns' and 'net stop dnscache && net start dnscache'.

    Can anyone help?

  • 0 in reply to FrankLe

    After you've connected to the VPN, you need to verify that you can actually query/get responses back from your DNS server.  Basically, you need to be certain that DNS queries can be issued (and returned) before you go any further (to figure out where the problem lies).  Assuming Windows....

    - start a cmd-prompt

    - type "nslookup"

    - type "server 192.168.1.1" (but put in your internal DNS server IP that you are trying to use

    - type "set type = A"

    - type "www.mydomain.com" (but put in an internal A record that should exist on your internal DNS server).

    If you don't get any replies back, then DNS (tcp 53) is being blocked somewhere.  If you do get valid responses back.. you can continue your troubhleshooting (e.g. type "ipconfig /all" and see if your internal DNS servers are truly being set). 



  • 0 in reply to GNyce

    GNyce I have ran the commands you posted and do get valid responses back. I have ran 'ipconfig /all' and confirmed my DNS is pointed to my internal DNS server IP.

    Anything else that can help?

  • 0 in reply to FrankLe

    Sorry FrankLe - running out of ideas for you.  I suppose you could try (after VPN is connected) changing your network DNS servers to the VPN's and make sure that works (and there is nothing else going on)... and by that, I mean in control panel/network/adaptersettings/ipv4

Reply
  • 0 in reply to FrankLe

    Sorry FrankLe - running out of ideas for you.  I suppose you could try (after VPN is connected) changing your network DNS servers to the VPN's and make sure that works (and there is nothing else going on)... and by that, I mean in control panel/network/adaptersettings/ipv4

Children
  • 0 in reply to GNyce

    Hi FrankLe,

     I have experience, that somtimes problem disappears. But You do not need make restart PC or something else. Just sometimes it works and sometimes not. Maybe it have some dependency on Windows system. I did a lot of research but I found  nothing new.

    I tryed to Connect two Sophos SSL VPN on different UTM and I have problem on both connections. So it seams that it is not problem on UTM. On My test PC problem disappear and iI can't get it back anyway.

    I tryed contact certified profissional for Sophos and he has no problem, so problem not exist. This behavior is not good and damaging the reputation of Sophos products.

    FLem

    PS: I found older thread about the same problem https://community.sophos.com/products/unified-threat-management/f/58/t/55357#pi394=2

    and there is advice that You can try:

    "My solution was to download and install the SSL VPN client from the Sophos User Portal. After installing it as an administrator I then download and install the latest OpenVPN client over it. It assumes all the settings from the Sophos install and it appears to function much better after the computer wakes up from sleep."

    I can't try it, because now on PC now it works.

Unfiltered HTML