Internal Web traffic (http, https) over Sophos Connect VPN (Cisco Anyconnect VPN) using native Android 9 VPN client

Hopefully someone can help my sanity with an issue using the Sophos Connect Remote Client VPN on Android 9 with Sophos XG (software).   Any help or guidance would be appreciated, thanks in advance :)

I can establish a Sophos Connect VPN connection successfully on both Android and Apple iOS devices using native VPN client (Xauth. PSK).

The routing and ACLs work perfectly using Apple native VPN client (Cisco).  Can reach all internal websites. 

However a weird issue with Android 9 – the routing seems to work, can access the internet sites via VPN, ping internal hosts, even SSH and Telnet to internal hosts.  But cannot use any standard mobile browser to connect to any internal website (usually ERR_Timed_out)

Checking the Firewall logs I see the initial packets allowed through, but then get a bunch of RuleID:0 (see below). It smells like asymmetrical routing, but I can’t understand why…

  1. It works perfectly on iOS (assume the clients work slightly differently)
  2. Why I can ping, SSH, and Telnet on the Android 9 device, but can’t load a single internal webpage, besides the Sophos Webadmin page on any of the gateway interfaces.

In the process of troubleshooting I’ve disabled the pre-processing of IPS, added exceptions, turned off advance threat, and scanned the log files to death.  Everything looks good from a configuration standpoint.

If it matters it is a Huawei P30 pro, it has raised a little bit of a concern, but is there any possibility that packets are being manipulated in such a way that Sophos XG firewall is dropping it? 

There has been a hint of this issue in other community posts, so suspect there is something more to the story.   Would really appreciate any guidance on what else I could look at or if the issue simply lies with the client (which I might try and rule out)

2019-10-22 22:22:23
Firewall Rule
Allowed
tnot
30
0
ipsec0
Port1.200
10.10.10.50
172.16.1.100
55774
443
TCP
1
00001

 

2019-10-22 22:22:26
Invalid Traffic
Denied
 
0
0
   
10.10.10.50
172.16.1.100
55774
443
TCP
0
01001
Open PCAP
Could not associate packet to any connection.