AT&T Wifi calling being classified as Tiger VPN

Noticed my Application Policy is blocking something being classified as "Tiger VPN", which I don't have. Looking up the IP address, it appears to be related to AT&T Wifi calling. Here is the firewall log:

2018-07-17 09:56:36Application Filtermessageid="17051" log_type="Content Filtering" log_component="Application" log_subtype="Denied" fw_rule_id="9" user="" user_group="" appfilter_policy_id="10" category="Proxy and Tunnel" app_name="Tiger VPN" app_risk="5" app_technology="Client Server" app_category="Proxy and Tunnel" src_ip="129.192.164.10" src_country="USA" dst_ip="172.16.16.31" dst_country="R1" protocol="UDP" src_port="4500" dst_port="4500" bytes_sent="0" bytes_received="0" status="Deny" message="" appresolvedby="Signature"

Posting this for anyone else that might run into this issue. Hopefully Sophos can use this information to update how wifi calling is being classified.

  • Hi Shred,

    I will forward the request to verify the classification for this application signature. 

    Thanks for the information. 

  • Hi Shred,

    I will require a Packet Capture file for investigation. Could you please configure a plain firewall rule with all the filtering modules set to NONE for a particular source IP address; take 129.192.164.10 as in the logs? Then initiate a packet capture, while using the AT&T calling feature.  PM me this pcap file, it will help us investigate the packet flow and provide you an update about the classification. 

    Thanks,

  • In reply to sachingurung:

    I'm not sure how to export a pcap file. I've configured the firewall rule and I enabled Packet Capturing for the specified source address, which appears to be logging the traffic but there's no option to export the data from the web GUI.

  • In reply to sachingurung:

    This is still happening, just FYI. I have two brand new XG 210s and users started reporting that AT&T wifi calling was failing.  Sure enough, it is classifying it as TigerVPN.  I took TigerVPN out of the application control rules, and wifi calling resumed functioning.

  • In reply to hillbillyIT:

    Hi,

    I think I have a similar classification issue with both of my MBPs being reported as using a VPN360. I have no idea which application is generating the traffic. The VPN360 is supposed to be installed, but I can't find it anywhere when searching.

    I suppose I could create general access rule for my MBP to see what happens in the logs.

    Ian

  • In reply to rfcat_vk:

    Still happening - I have flagged this up and sent a PCAP to Sophos.

     

    Just adding that O2 WiFi Calling is also being reported as Tiger VPN.