weird behavior that I expect not a VPN problem but need to ask

First I don't believe this is a VPN problem but making sure I cover all bases.

 

Recently our VPN users have start to see a problem when VPN in to our network.  They are accessing files on a Linux server via a editor on their laptop that is VPN in.  Some use notepad++ and other use notetab light to access the files.  When they make either changes and save the file, the file on the Linux server either gets blanked out or corrupt that you can't open it any more.

 

So for testing I first tried modifying a test file on my desktop on the inside network (no VPN).  Works like it should saving does not corrupt file and everything is good.  I then VPN in from outside  on a laptop using the same editor and file and the file gets corrupted.  I tried MS notepad, notepad++ and notetab light - all cause the file on the Linux side to go bad.

 

My guess is the windows and or Linux side is causing the problem.  Has anyone else seen something like this?  I don't see how the VPN would be causing it but I'm no expert.

 

I can't pin point time frame but looks like this started to be a problem with in last two months. 

 

John

  • Hi  

    Thank you for providing in-depth details of the issue.

    Are you facing this issue with all the VPN users?

    Which VPN are you using to connect and edit the file on the Linux server?

  • In reply to Keyur:

    Most of the users that VPN do not need to edit files on the Linux server (our ERP).  But a few of the ones that do have contacted me on this.  So a small portion of all VPN users are affected, but it does seem all of the ones that edit files are having this problem. 

     

    We are using the Sophos VPN from the Sophos firewall.  I'm not the main firewall admin, but am the main admin for the ERP and all Linux servers.  that's why I got this question to resolve. :-)

    I've taken a laptop and connected to inside with a local copy of editor and tried modifying file, works. Then connect laptop via VPN and bad things happen to file. 

     

    Again I don't think is VPN but from surface that is the only difference.

     

    john

  • In reply to JohnAdamski:

    Hi  

    I understand your concern, but if you could collect the details from Firewall admin, regarding VPN Connection type and firewall rules created to allow VPN traffic, we can have further idea to narrow down the issue. We do not have a history of such reported issue from the customers from the field, Information will help us to assist you better.

  • In reply to Keyur:

    the network admin busy right now. so your stuck with me.

     

    we are using ssl vpn on XG firewall ver. XG450 (SFOS 17.5.9 MR-9)  in active-passive (we have 2 devices)

     

    One firewall rule that allows vpn traffic in, allows any services, everything else on the setup looks default.

  • In reply to JohnAdamski:

    Hi  

    We will need to review the firewall rules to see if there is any protection put in place on that rule.  It is possible that the AV scanner or IPS/ATP could be causing trouble with the file.  However without knowing the rule configuration, it will be a best-guess answer.  

    You can try use another VPN either by using Sophos Connect Client or the L2TP setup.

    Thanks.

  • In reply to KingChris:

    the rule looks like this  - changed things like network to show 10.xxx rather than our true values for security reasons.  other than things like that is the rule configuration. to me looks mostly a default setup for a rule.

     

    Rule name: vpn-xxx
    Description:
    Rule group: None

    Source Zones: VPN TYPE=VPN DeviceAccess=Ping/Ping6, HTTPS, Wireless Protection, User Portal, SNMP
    Source networks and devices: Any
    During scheduled time: All the time

    Destination zones:
    Lan Members=Port1, Port10, Port9, Port_Chan1, Port_Chan1.15 Type=LAN DeviceAccess=Ping/Ping6, HTTPS, SSH, DNS, Captive Portal, Radius SSO, Wireless Protection, SSL VPN, Web Proxy, User Portal, Client Authentication, SMTP Relay, SNMP, Chromebook SSO
    Academic Members=Port2.79 Type=DMZ DeviceAccess=Ping/Ping6, DNS, SSL VPN, Web Proxy, User Portal, SMTP Relay, SNMP

    Destinstiaon networks: 10.xxx/16, 10.yyy/16, 10.zzz/16
    Services: Any

    Match know users - unchecked

    Scan HTTP - unchecked
    Decrypt & scan HTPS - unchecked
    Scan FTP for malware - unchecked

    Intrustion prevention: generalpolicy
    Traffic shaping policy: None
    Web Policy: None
    Apply web-category-based traffic shaping policy - unchecked
    Application control: None
    Apply applicatio-base traffic shaping policy - unchecked

    Minimum source HB permitted: No restriction
    Minimum destination HB permitted: No restriction

    Rewrite source address - unchecked
    primary gateway: None
    DSCP marking: Select DSCP marking

  • In reply to JohnAdamski:

    Hi  

    Thanks for that information.

    You do have IPS configured on the rule.  You could try without IPS to see if that helps at all.

     

    You can review this KB article that may help you rule out the firewall:  https://community.sophos.com/kb/en-us/127189

    Thanks!

  • In reply to KingChris:

    Our network admin says we need IPS, but is willing to temporarily off for testing.  will do that in next day or so.  he was not hopeful that would be the cause.

  • In reply to JohnAdamski:

    Late Friday the Network Admin turned off IPS and I tested.  I was able to modify the file and save it without corrupting the file.  he turned IPS back on and said he would work with me later to figure out what is causing the problem when IPS is on. 

     

    will be a week or so as he on vacation now.

     

    john

  • In reply to JohnAdamski:

    Hi  

    Glad you were able to narrow it down.

    You may have to create a custom IPS policy using signatures that are pertinent to your environment.  So if you are not running any linux servers, do not choose linux IPS patterns to use. 

    Please do keep us updated.

    Thanks.

  • In reply to KingChris:

    The network Admin has a few minutes to do some more testing this morning and he things the text editors are trying to do something over port 445 when saving the file.  He ran out of time and did not get further. Said that port 445 sounds like it should be blocked.

     

    So that's the latest.

     

    john

  • In reply to JohnAdamski:

    Hi  

    Port 445 is the CIFS port, aka SMB/file sharing.

    It is possible that IPS is blocking it due to running of older SMB version on your network.  If you remove all IPS policies that state "SMB", then it should work.

    Thanks!

  • In reply to KingChris:

    Yes our ERP server still needs smb1, we been waiting for the provider to figure out how to run on suse 15. they missed two proposed release dates for the update.

     

    I will pass this on to my network guy.

     

    john

  • In reply to JohnAdamski:

    Network admin made ips rules for VPN to allow smb1, we tested again and still failing. 

     

    probably time to open trouble ticket with Sophos.

     

    john

  • In reply to JohnAdamski:

    Hi  

    Thanks for the response.  Then it must be something else inside the IPS rules you have.

    Please DM your case number you get so that we can track it.

    Thanks!