Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I am having all kinds of trouble fixing Sophos Connect - using 17.5 MR4.1
Basically SC connects to the XG fine but cannot pass any traffic - that is I can get to the web interface of the XG, but cannot ping IP's on my network.
Lots of reading and I have a VPN - LAN FW Rule and also a LAN - VPN FW Rule
My SSL VPN has a totally different subnet and my L2TP VPN has a IP range outside what Sophos Connect has.
If I connect via L2TP all works OK
If I connect via SC I get nothing - both on the same Subnet (different ranges)
I am stumped at what I am missing - it did used to work until I changed the default WAN port and updated SC
What am I missing?
Can you please specify the DHCP ranges for the three different VPN you are using? This seems like a configuration error. The other method is to use tcpdump from the console and filter for the internal IP you are trying to get to. See if the packets are received and sent in both the direction.
In reply to rmk_2018:
I did check that as I saw it had been mentioned before.
SSL VPN is 10.81.234.0 Subnet
SC and L2TP both share a 10.3.24.0 subnet but with different ranges specified:
In reply to M8ey:
You cannot share the 10.3.24 subnet between the two. Please change that and it will work.
Changed it and no change.
Connects fine but no traffic.
You now need to use tcpdump to see where the packets are getting dropped.
Do you have a simple network - which I would define as a network where the default route (eventually) goes via your Sophos firewall? If not, you may find that your internal router doesn't know where traffic to your VPN subnet should be routed. In that case you'll need to configure your internal router to send the VPN subnet to the Sophos internal interface (the "next hop"). You or someone else might have done this years ago for L2TP.
In reply to DavidRa:
Good points however my XG is the Gateway and no Routers used.
I would expect not to connect if it was that as well where I connect and can browse the XG on the LAN interface but thats all :-(
Are you able to check if the routing table on your machine has been updated after being connected? On Windows, you could run the command in cmd. > route print and check if the gateway has a higher priority?
In reply to Aditya Patel:
Aditya Patelcmd. > route print and check if the gateway
The 172.20.10.8 is my IP before connecting to the SC
10.3.24.50 is my IP from the VPN within the XG
Is the screenshot taken after connected to SC? It does seem that your local gateway has the higher priority and the network for gateway 10.3.24.50 does not have 'any' route added.
Sure is - Active SC Connection and then ran the check.
The best thing to do a packet capture on the firewall. From Monitor & Analyze->Diagnostics page setup a packet capture. You can configure the host <IP> and start the capture. Then ping that host and see what you get. You should be able to see if the packet is dropped at the firewall or sent out the correct interface and if it getting a reply.
Please let us know