We'd love to hear about it! Click here to go to the product suggestion community
Hopefully someone can help my sanity with an issue using the Sophos Connect Remote Client VPN on Android 9 with Sophos XG (software). Any help or guidance would be appreciated, thanks in advance :)
I can establish a Sophos Connect VPN connection successfully on both Android and Apple iOS devices using native VPN client (Xauth. PSK).
The routing and ACLs work perfectly using Apple native VPN client (Cisco). Can reach all internal websites.
However a weird issue with Android 9 – the routing seems to work, can access the internet sites via VPN, ping internal hosts, even SSH and Telnet to internal hosts. But cannot use any standard mobile browser to connect to any internal website (usually ERR_Timed_out)
Checking the Firewall logs I see the initial packets allowed through, but then get a bunch of RuleID:0 (see below). It smells like asymmetrical routing, but I can’t understand why…
In the process of troubleshooting I’ve disabled the pre-processing of IPS, added exceptions, turned off advance threat, and scanned the log files to death. Everything looks good from a configuration standpoint.
If it matters it is a Huawei P30 pro, it has raised a little bit of a concern, but is there any possibility that packets are being manipulated in such a way that Sophos XG firewall is dropping it?
There has been a hint of this issue in other community posts, so suspect there is something more to the story. Would really appreciate any guidance on what else I could look at or if the issue simply lies with the client (which I might try and rule out)
Hi Timothy Nothdurft Thank you so much for such a detailed post and covered every aspect of the scenario and troubleshooting.Could you please try to capture pcap file for this communication and communication take place from other device and compare in the Wireshark.It would be great if you could check the same from other devices having Andriod 9 to rule out if the issue with a specific device or OS.
In reply to Keyur:
Thanks for taking time to respond (was bit nervous being my first post) and adding some additional troubleshooting steps.
I did forget to mention that I'm using v18 and decided to look deeper into the default migrated NAT rules and the masquerading. Unlinked the main default NAT rule, created an independent rule, and tweaked the NAT rule order and it worked!
I have no idea why iOS was able to get around this, can't explain it except perhaps the two VPN clients are treated differently by the stateful traffic inspection.
So apologies, still very weird and unfortunately I can't give you much more data. Put it down to a small bug in the migration perhaps.
Thanks again.
In reply to Timothy Nothdurft:
Hi Timothy Nothdurft Thank you for sharing details, v18 is still acting as EAP.I would recommend you to join our v18 EAP to get more details and you can share your issues, observation, and inputs in the forum.https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/b/blog/posts/sophos-xg-firewall-v18-fire-eap-firmware-is-here
https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/116464/internal-web-traffic-http-https-over-sophos-connect-vpn-cisco-anyconnect-vpn-using-native-android-9-vpn-client---take-2
Thanks again