Heartbeat Authentication and Sophos Connect Client

I have an issue with Heartbeat authentication, using Sophos Connect Admin the profile is set to send heartbeat from connection but the problem I am having is a failed heartbeat authentication because it seems as though the endpoint software is attempting to authenticate via the NETBIOS (indicated by "firstlast") name as opposed the User Name for Sophos Connect(indicated by "first.last"). I believe this could be causing my users to be disconnected from the VPN which I the message I seem to get is "failed to establish child sa (security association)" which will leave the user disconnected until they manually reconnect. This could be 2 totally different issues, but I need to solve this as its costing my company $$$ because of call disconnects when the VPN fails. Please see the example below and HELP!

 

             
             
2020-06-29 16:18:48
Firewall Authentication
Notice
User firstlast2 failed to login to Firewall through Local authentication mechanism from 10.10.101.22 because of wrong credentials
firstlast2
10.10.101.22
Failed
2020-06-29 16:18:42
Firewall Authentication
Information
User first.last2 of group Open Group logged in successfully to Firewall through authentication mechanism from 10.10.101.22
first.last2
10.10.101.22
Successful
2020-06-29 16:18:41
Firewall Authentication
Information
User first.last2 was logged out of firewall
first.last2
10.10.101.22
Successful
2020-06-29 16:18:41
My AccountAuthentication
Information
User first.last2 logged in successfully to MyAccount through Local authentication mechanism
first.last2
ISP
Successful
2020-06-29 16:18:41
Firewall Authentication
Information
User first.last2 of group Open Group logged in successfully to Firewall through authentication mechanism from 10.10.101.22
first.last2
10.10.101.22
Successful
2020-06-29 16:16:06
Firewall Authentication
Information
User first.last2 was logged out of firewall
first.last2
10.10.101.22
Successful
2020-06-29 16:06:20
Firewall Authentication
Notice
User firstlast failed to login to Firewall through Local authentication mechanism from 10.10.101.11 because of wrong credentials
firstlast
10.10.101.11
Failed
           
 
2020-06-29 16:05:51
Firewall Authentication
Information
User first.last of group Open Group logged in successfully to Firewall through authentication mechanism from 10.10.101.11
first.last
10.10.101.11
Successful
2020-06-29 16:05:50
Firewall Authentication
Information
User first.last of group Open Group logged in successfully to Firewall through authentication mechanism from 10.10.101.11
first.last
10.10.101.11
Successful
2020-06-29 16:05:50
Firewall Authentication
Information
User first.last was logged out of firewall
first.last
10.10.101.11
Successful
2020-06-29 16:05:49
My AccountAuthentication
Information
User first.last logged in successfully to MyAccount through Local authentication mechanism
first.last
ISP
Successful
2020-06-29 16:05:01
Firewall Authentication
Information
User first.last was logged out of firewall
first.last
10.10.100.11
 
  • Hello Matthew,

    Thank you for contacting the Sophos Community.

    Are you using Full tunnel in the Sophos Connect client or split?

    Do you see anything if you do a packet capture from the GUI when the issue is happening from the IP of the Sophos Connect client?

    Regards,

  • In reply to emmosophos:

    Currently only using a split tunnel to my internal network for WSUS and File Share, Ill be sure to post a packet cap tomorrow, but its very random however wide spread