Sophos Connect Client not using internal DNS

Hi all!

...back again with another Connect Client issue Sad

I can establish a connection but there are wrong (external IPV6) DNS server entries on the client.

I configured DNS servers on the XG:

But this is what the client shows:

Therefore I'm unable to ping hostnames, IPs work fine.

Client Version is 1.2.5.0202
XG Version 17.5.4 MR-4

  • Hello Christian,

     

    Have you configured a SSL VPN policy on XG? If yes then please check what are the DHCP IP range and DNS servers assigned there. It is possible that the DHCP range for SSL VPN and Sophos Connect is overlapping. It is possible that DNS servers assigned in SSL VPN policy is IPv6.

    If your answer is No, then I would need a Technical Support Report (TSR) from Sophos Connect after you establish the connection. You can get the TSR from the Menu->About page on Sophos Connect. You can send it to me in a private message.

     

    Thank you,

    Ramesh

  • In reply to rmk_2018:

    Hello Ramesh,

    and thank you for your answer! I'm not so sure what you mean with SSL VPN policy.

    What I have is a additional IPSEC Site2Site connection and the SSL VPN settings, wich are pretty much default I guess (please see screenshot).

    So my answer is no Smile 
    I have sent you a PM with the TSR.

  • In reply to Christian Dittrich:

    Hello Christian,

     

    Yes it is a bug identified in SFOS MR4. So please continue using MR3 until we release a patch for MR4. Will keep you posted when that happens.

     

    Ramesh

  • In reply to rmk_2018:

    Hello Ramesh!

    I recently upgraded to MR4 because of another bug with the certificates ( link ). If I downgrade to MR3 I can't connect anymore.
    So that's a really unsatisfying situation Tongue Tied
    Do you know when the bug will be fixed? Our whole migration get's stuck because of this. I'm considering in using openvpn client...

  • In reply to Christian Dittrich:

    I'm not sure how much you need your DNS, but if you need only few DNS entries - meaning you need DNS to locate only few devices & servers at the other end of your VPN - you could list them on your local desktop, in the "hosts" text file.  Do not forget to edit it with notepad.exe and not wordpad.exe or word.exe.   I've entered all my offices servers' IP there.

    Located here: C:\Windows\System32\drivers\etc

    This is what you typicaly get in that file:

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost
    10.1.99.10 myfirstserver.local

    10.2.99.11 theotherserver.local

    10.1.99.12 wellwehaveonly3servers.local

     

    Paul Jr

  • In reply to Christian Dittrich:

    Hello Christian,

     

    Sorry you ran into this problem. We will have a fix for it in SFOS early next week. 

     

    Ramesh

  • In reply to Big_Buck:

    Thank you for your answer, Paul Jr!
    Your idea can help in a small environment, but we need several things like AD, WSUS and so on. So editing the hosts file isn't an option.

  • In reply to rmk_2018:

    Hello Ramesh,

    that's good news - thank you!

  • In reply to Christian Dittrich:

    For the sake of my curiosity ...  Have I understood you do WSUS through a VPN ???

    Paul Jr

  • In reply to Big_Buck:

    For a small number of clients, yes! Those are stationary clients in homeoffices. Although that's not the best example, perhaps Big Smile 
    Maybe we won't need this anymore after migration to Win10...

  • In reply to Christian Dittrich:

    Hey  

    Apologies again for any inconvenience caused by this.

    This issue (NC-45246) is resolved in today's re-released MR4-1 version - [SF 17.5 MR4-1 (17.5.4.429)]

    Regards,

  • In reply to FloSupport:

    Thank you very much. I will be testing now and give you a feedback!

  • In reply to FloSupport:

    Sorry, but I cannot test it because of certificate error again Tongue Tied

    Remote certificate authentication is successful.

    Local certificate authentication isn't working
    Errors: no issuer certificate found / no trusted RSA public key found

    I tested with the applicance-cert (wich I imported manually on the client) and our domain-cert.
    I also generated a self-signed cert on the XG - again no luck.

  • In reply to Christian Dittrich:

    Hello Christian,

     

    Any update on this please? Please check the Sophos Connect Client policy and make sure the policy is correct in terms of certificates. Then maybe export and reimport the policy on Sophos Connect.

     

    Ramesh

  • In reply to FloSupport:

    I'm good working on after update.