Why does Sophos Connect keep the interface always active even when disconnected?

It's a bit of an annoyance that it seems the virtual TAP interface used by Sophos Connect is kept permanently active. Unlike the Sophos SSL VPN or L2TP/IKEv2 remote access virtual interface methods, the interfaces are disabled when not in use.

It's not the end of the world but is this going to be continued behaviour for the Sophos Connect implementation of the TAP interface or will it be moved to an enable on use, disable when not type system?


  • Emile,

    I am experiencing the same inconvenience/annoyance.

    After installing the Sophos Connect Client (version on my laptop (HP, Win10Pro), it works fine over an ethernet/LAN connection.
    Once I disconnect the VPN and remove the network cable, I notice that the WiFi adapter remains off. I can't even turn it on manually. It keeps switching off. And no WiFi means I can't start a VPN connection....

    As the Sophos TAP Adapter is indeed still active (in Windows Control Panel\Network and Internet\Network Connections it's still listed as "connected") -even though the connection is disconnected in the client and the network cable is removed- the laptop's "LAN/WLAN Auto Switching" feature prevents switching to WiFi.

    This security feature is enabled in my laptop's BIOS. I use it all the time. An obvious workaround is disabling it. But I prefer a TAP Adapter that's disabled when the VPN disconnects.

    Can anyone at Sophos shed some light on this?
    Is it a bug? If so, when will it be fixed?
    Is it by design? If so, why?


  • In reply to 2ServeErik:

    Hello Emile,


    It is not a bug. It is be design. It is specifically tested for the use case where the following scenarios are considered. VPN Connection is enabled and connected.


    1) User starts with LAN connection. Disconnects LAN while VPN is connected. Sophos Connect will wait until a new interface is connected and an IP is obtained. As soon as it happens, the VPN connection will be reestablished using the new interface.

    2) Same as above but user is connected to WiFi. Disconnects from WiFi and attaches to the docking station with ethernet. Same behavior as above without any user intervention.

    3) Both Ethernet and Wifi are connected. Windows will select the preferred connection. The connected interface used by VPN goes down. Sophos Connect will detect the second interface is up and immediately connect using the connected interface. 


    In all the cases to make the switch with the least amount of time, it was decided to avoid the enabling and disabling the TAP adapter.  Also when a interface is disconnected VPN goes down, the TAP adapter IP and DNS server are also cleaned up so Windows will not use this interface. 


    Thank You,



  • In reply to rmk_2018:

    Hello Ramesh,

    Thank you for your reply.
    I have read your answer several times and I fully understand your explanation in paragraphs 1, 2 en 3. However, in all 3 cases the VPN is connected.

    The issue I have is actually when/after I disconnect the VPN.
    Its IP and DNS are indeed cleaned up.
    But the TAP adapter is still "active" (see screenshot) and Windows then assigns it an IP with Automatic Private IP Addressing (APIPA).
    Windows may not use the adapter, but this messes up the "LAN/WLAN Auto Switching" feature of the laptop. It won't allow WiFi.

    Is that also by design?

    Screenshot: WiFi is disabled and no network cable in the Ethernet port



  • In reply to 2ServeErik:

    Hello Erik,


    Windows may not use the adapter, but this messes up the "LAN/WLAN Auto Switching" feature of the laptop. It won't allow WiFi.

    Is that also by design?

    No this is not controlled by Sophos Connect. Windows should automatically switch to the WiFi interface as soon as you disconnect the ethernet cable or undock from a docking station. This is a very common use case scenario. Users switch interfaces and Windows will automatically connect and use the best available interface for the default route.

    I can think of two reason why it is not automatically not switching to WiFi.

    1) switch to WiFi will not happen if the check box to automatically connect has not been checked for the WiFi setting.

    2) Secondly under Advanced... you will find an option to order interfaces. That option may be disabled by group policy so you may or may not be able to make any changes there but it is worth checking.

    3) The other option to check is the following:

    Please let us know the results after you verify. 



  • In reply to rmk_2018:

    Hello Ramesh,

    Sorry for the late reply, but I took my time trying out several possibilities while visiting different customers.

    When I disable the "LAN/WLAN Auto Switching" feature on my HP ProBook, everything works fine. Windows is automatically switching. There are no issues with Sophos Connect (when connected or disconnected). There was no need to check your 3 suggestions.

    Side note: The only thing I noticed is that Windows takes its time to switch when plugging in an ethernet cable. For up to 40 seconds I'm connected to both Wi-Fi and ethernet. But that's a Windows thing.

    When I re-enabled the HP "LAN/WLAN Auto Switching" feature and I uninstalled the Sophos Connect Client, my laptop switches immediately between Wi-Fi and Ethernet ... all the time and in both directions.


    However, as soon as I re-install Sophos Connect I can't switch from ethernet to Wi-Fi anymore because Windows always "sees" an active ethernet connection (the Sophos TAP Adapter), even when the Sophos Connect Client is Disconnected and there's no ethernet cable. None of your suggestions made any difference.

    After careful consideration I concluded that this is not a Sophos thing, nor a Windows thing... it’s an HP thing. So there’s no need to pursue this issue further. I just have to choose what works best for me.

    Thanks for your help.

    Kind Regards,