Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect blocks SNMP

After establishing the connection between XG Firewall version 17.5.1 MR1 through Sophos Connect, communication from the server installed behind the router to port udp/161 on the remote computer is impossible. Changing the VPN client to another one, for example to the Cyberoam VPN SSL or SecurePoint SLL VPN causes the immediate return of communication via udp. For all three tests this remote computer received IP from the same subnet and snmpwalk from the same server was used. Could this be a Sophos Connect error?



This thread was automatically locked due to age.
Parents
  • Hello Michal,

     

    Without additional information it is hard to pinpoint the exact cause of the problem you are having with Sophos Connect Client. What is the policy configuration? It is a tunnel all policy or a split tunnel policy? If it is a split tunnel policy check if the destination network includes the network where the server is located. There is nothing in Sophos Connect that will specifically block communication via UDP/161. 

     

    Please let me know

     

    Ramesh

  • Thank you for your response. This is tunnel policy with full access to all private addresses behind the router.

    {
    "name": "IT",
    "managed": false,
    "version": 1,
    "gateway": "a.b.c.d",
    "vip": "0.0.0.0",
    "auto_connect": {
    "name": "10.77.77.254",
    "required": false,
    "enabled": true
    },
    "proposals": "aes256-sha2_256-modp1024",
    "dpd_delay": 60,
    "rekey_time": 15300,
    "start_action": "none",
    "local_auth": {
    "psk": {
    "id": "0.0.0.0"
    },
    "xauth": {
    "can_save": true
    },
    "otp": false
    },
    "remote_auth": {
    "psk": {
    "id": "%any",
    "secret": "efgh"
    },
    "otp": false
    },
    "child": {
    "rekey_time": 3060,
    "remote_ts": [
    "10.0.0.0/8",
    "172.16.0.0/12",
    "192.168.0.0/17",
    "52.5.76.173/32"
    ]
    }
    }

     

    However, it looks like the problem lies somewhere else. After establishing VPN tunnel through Sophos Connect, I get unexpectedly such a gate: 169.254.128.128.


    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.222 25
    10.0.0.0 255.0.0.0 169.254.128.128 10.0.101.200 45
    10.0.101.200 255.255.255.255 On-link 10.0.101.200 291
    52.5.76.173 255.255.255.255 169.254.128.128 10.0.101.200 45
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    172.16.0.0 255.240.0.0 169.254.128.128 10.0.101.200 45
    192.168.0.0 255.255.128.0 169.254.128.128 10.0.101.200 45
    192.168.137.0 255.255.255.0 On-link 192.168.137.1 311
    192.168.137.1 255.255.255.255 On-link 192.168.137.1 311
    192.168.137.255 255.255.255.255 On-link 192.168.137.1 311
    192.168.178.0 255.255.255.0 On-link 192.168.178.222 281
    192.168.178.222 255.255.255.255 On-link 192.168.178.222 281
    192.168.178.255 255.255.255.255 On-link 192.168.178.222 281
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 192.168.178.222 281
    224.0.0.0 240.0.0.0 On-link 192.168.137.1 311
    224.0.0.0 240.0.0.0 On-link 10.0.101.200 291
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 192.168.178.222 281
    255.255.255.255 255.255.255.255 On-link 192.168.137.1 311
    255.255.255.255 255.255.255.255 On-link 10.0.101.200 291
    ===========================================================================

     

    Meanwhile, all interfaces on the router have either a fixed IP address or are disabled. I do not have any virtual interfaces or bridges configured. So from where did the VPN server pick up such address? From which router interface?

     

     

  • Hello Michal,

     

    That IP address is the WAN IP address of the gateway you are connecting to. You will find the defined gateway from this attribute "gateway": in the policy. Please let me know if you have any questions on this. 

     

    Ramesh

  • Hello Michal,

    It is possible you have a very restrictive firewall rule that could be blocking traffic to UDP/161. Please check the logs on the firewall and/or capture packets on the firewall destined for the SNMP server. That will help to narrow down the problem you are having.

    Ramesh

  • Thank you again. We have two WAN gates, the main and the reserve one. Both have a fixed IP address.

     

     

    Before asking questions on the group, I checked the firewall's settings and logs several times and all the snmp traffic is passed both ways. The problem is the strange gate that appeared on the client. In the case of normal SSL connection, the gateway address is the VPN server address on the router, that's why the communication works. But in the case of Sophos Connect the gateway is the address going nowhere and the packets do not return to the router anymore.
    I would like to determine where this address comes from. Is it possible to look through ssh in the configuration files of the Sophos Connect server on the router?

  • You wrote: "You will find the defined gateway from this attribute "gateway": in the policy"

    The gateway address in policy is exactly same as the address of our main WAN gateway. In the configuration I have pasted, I replaced it with a.b.c.d.

  • Michal,

     

    The address you have specified  169.254.128.128 is not a routable address. So the first question is when you enable the connection in Sophos Connect, is the connection getting established? Based on the route table you have attached to the post it does look like it is established. Can you then do a ping test and confirm you are able to get bidirectional traffic going thru the tunnel. But then the IP  as seen in the route table is non-routable. So something is missing here which I cannot figure out without additional details. Let me know the answers to above and then we can go to the next step

    Ramesh

  • Hello Michal,

     

    There is one other thing that I think is the problem is due to. Probably in your case you are not getting a Virtual IP and as a result a non-routable IP address is getting assigned to the remote networks. That is the problem. If you open the Open VPN logs, you can search the logs for Virtual and see if there are errors there. 

    Ramesh

Reply
  • Hello Michal,

     

    There is one other thing that I think is the problem is due to. Probably in your case you are not getting a Virtual IP and as a result a non-routable IP address is getting assigned to the remote networks. That is the problem. If you open the Open VPN logs, you can search the logs for Virtual and see if there are errors there. 

    Ramesh

Children
No Data