Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
I am having all kinds of trouble fixing Sophos Connect - using 17.5 MR4.1
Basically SC connects to the XG fine but cannot pass any traffic - that is I can get to the web interface of the XG, but cannot ping IP's on my network.
Lots of reading and I have a VPN - LAN FW Rule and also a LAN - VPN FW Rule
My SSL VPN has a totally different subnet and my L2TP VPN has a IP range outside what Sophos Connect has.
If I connect via L2TP all works OK
If I connect via SC I get nothing - both on the same Subnet (different ranges)
I am stumped at what I am missing - it did used to work until I changed the default WAN port and updated SC
What am I missing?
Can you please specify the DHCP ranges for the three different VPN you are using? This seems like a configuration error. The other method is to use tcpdump from the console and filter for the internal IP you are trying to get to. See if the packets are received and sent in both the direction.
In reply to rmk_2018:
I did check that as I saw it had been mentioned before.
SSL VPN is 10.81.234.0 Subnet
SC and L2TP both share a 10.3.24.0 subnet but with different ranges specified:
In reply to M8ey:
You cannot share the 10.3.24 subnet between the two. Please change that and it will work.
Changed it and no change.
Connects fine but no traffic.
You now need to use tcpdump to see where the packets are getting dropped.
Do you have a simple network - which I would define as a network where the default route (eventually) goes via your Sophos firewall? If not, you may find that your internal router doesn't know where traffic to your VPN subnet should be routed. In that case you'll need to configure your internal router to send the VPN subnet to the Sophos internal interface (the "next hop"). You or someone else might have done this years ago for L2TP.
In reply to DavidRa:
Good points however my XG is the Gateway and no Routers used.
I would expect not to connect if it was that as well where I connect and can browse the XG on the LAN interface but thats all :-(
Are you able to check if the routing table on your machine has been updated after being connected? On Windows, you could run the command in cmd. > route print and check if the gateway has a higher priority?
In reply to Aditya Patel:
Aditya Patelcmd. > route print and check if the gateway
The 172.20.10.8 is my IP before connecting to the SC
10.3.24.50 is my IP from the VPN within the XG
Is the screenshot taken after connected to SC? It does seem that your local gateway has the higher priority and the network for gateway 10.3.24.50 does not have 'any' route added.
Sure is - Active SC Connection and then ran the check.
The best thing to do a packet capture on the firewall. From Monitor & Analyze->Diagnostics page setup a packet capture. You can configure the host <IP> and start the capture. Then ping that host and see what you get. You should be able to see if the packet is dropped at the firewall or sent out the correct interface and if it getting a reply.
Please let us know
*** Update ***
So after many months of back and forth with Sophos Support they have worked out when I use Sophos Connect my default route is not being updated on the PC level.
So 0.0.0.0 is set to go via my local connection - not 0.0.0.0 - XG IP Address
So no traffic flows to the XG via VPN
They are investigating how / why this is happening. Even SC 1.3 same issue and on all PC's that its installed on not just mine.
It is strange you are running into this problem. I am sure the problem is some configuration that is causing this issue and we just need to figure it out. Based on the route print it is looking good after the tunnel is established. Are you doing a Ping by IP address or Ping by Hostname or Ping by FQDN?
The easiest thing to do after the tunnel is established, click on the Networks ICON on the Monitor connection page of Sophos Connect. You will see the counters for packets transmitted/received. Please let me know what you find and I will try to help you to get it working or at least why it is not working in your setup.
Have you had any luck resolving this? I'm facing the same exact issue on a Mac. SC configuration is set for tunnel all and the 0.0.0.0 route is not updating on the Mac after they are connected.
I may have the same issue on a PC, just haven't been able to get connected to the user when they are home to validate. All running latest SC v1.3.