Sophos Connect and LAN Access

Hey guys,

 

I am having all kinds of trouble fixing Sophos Connect - using 17.5 MR4.1

Basically SC connects to the XG fine but cannot pass any traffic - that is I can get to the web interface of the XG, but cannot ping IP's on my network.

 

Lots of reading and I have a VPN - LAN FW Rule and also a LAN - VPN FW Rule

My SSL VPN has a totally different subnet and my L2TP VPN has a IP range outside what Sophos Connect has.

 

If I connect via L2TP all works OK

 

If I connect via SC I get nothing - both on the same Subnet (different ranges)

 

I am stumped at what I am missing - it did used to work until I changed the default WAN port and updated SC

 

What am I missing?

  • Hello,

     

    Can you please specify the DHCP ranges for the three different VPN you are using? This seems like a configuration error. The other method is to use tcpdump from the console and filter for the internal IP you are trying to get to. See if the packets are received and sent in both the direction.

     

    Ramesh

  • In reply to rmk_2018:

    I did check that as I saw it had been mentioned before.

     

    SSL VPN is 10.81.234.0 Subnet

    SC and L2TP both share a 10.3.24.0 subnet but with different ranges specified:

     

    L2TP 10.3.24.131-150

    SC 10.3.24.50-70

  • In reply to M8ey:

    Hello M8ey,

     

    You cannot share the 10.3.24 subnet between the two. Please change that and it will work.

     

    Regards,

    Ramesh

  • In reply to rmk_2018:

    Changed it and no change.

     

    Connects fine but no traffic.

  • In reply to M8ey:

    Hello M8ey,

    You now need to use tcpdump to see where the packets are getting dropped.

     

    Ramesh

  • Do you have a simple network - which I would define as a network where the default route (eventually) goes via your Sophos firewall? If not, you may find that your internal router doesn't know where traffic to your VPN subnet should be routed. In that case you'll need to configure your internal router to send the VPN subnet to the Sophos internal interface (the "next hop"). You or someone else might have done this years ago for L2TP.

  • In reply to DavidRa:

    Hey David

    Good points however my XG is the Gateway and no Routers used.

    I would expect not to connect if it was that as well where I connect and can browse the XG on the LAN interface but thats all :-(

  • In reply to M8ey:

    Hello ,

    Are you able to check if the routing table on your machine has been updated after being connected? On Windows, you could run the command in cmd. > route print and check if the gateway has a higher priority?

  • In reply to Aditya Patel:

    Aditya Patel
    cmd. > route print and check if the gateway

     

     

    The 172.20.10.8 is my IP before connecting to the SC

    10.3.24.50 is my IP from the VPN within the XG

     

     

  • In reply to M8ey:

    Hello  

    Is the screenshot taken after connected to SC? It does seem that your local gateway has the higher priority and the network for gateway 10.3.24.50 does not have 'any' route added. 

  • In reply to Aditya Patel:

    Sure is - Active SC Connection and then ran the check.

  • In reply to M8ey:

    Hello M8ey,

     

    The best thing to do a packet capture on the firewall. From Monitor & Analyze->Diagnostics page setup a packet  capture. You can configure the host <IP> and start the capture. Then ping that host and see what you get. You should be able to see if the packet is dropped at the firewall or sent out the correct interface and if it getting a reply.

     

    Please let us know

     

    Ramesh

  • In reply to Aditya Patel:

    *** Update ***

     

    So after many months of back and forth with Sophos Support they have worked out when I use Sophos Connect my default route is not being updated on the PC level.

    So 0.0.0.0 is set to go via my local connection - not 0.0.0.0 - XG IP Address

    So no traffic flows to the XG via VPN

     

    They are investigating how / why this is happening. Even SC 1.3 same issue and on all PC's that its installed on not just mine.

  • In reply to M8ey:

    Hello M8ey,

     

    It is strange you are running into this problem. I am sure the problem is some configuration that is causing this issue and we just need to figure it out. Based on the route print it is looking good after the tunnel is established. Are you doing a Ping by IP address or Ping by Hostname or Ping by FQDN? 

     

    The easiest thing to do after the tunnel is established, click on the Networks ICON on the Monitor connection page of Sophos Connect. You will see the counters for packets transmitted/received. Please let me know what you find and I will try to help you to get it working or at least why it is not working in your setup.

     

    Ramesh

  • In reply to M8ey:

    M8ey,

     

    Have you had any luck resolving this?  I'm facing the same exact issue on a Mac.  SC configuration is set for tunnel all and the 0.0.0.0 route is not updating on the Mac after they are connected.

     

    I may have the same issue on a PC, just haven't been able to get connected to the user when they are home to validate.  All running latest SC v1.3.

     

    Thanks,

    John