Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automatic deactivation of VPN connection

Hi,

 

Sophos Connect automatically deactivates the VPN connection when it detects an "unstable" connection to the Internet. Unfortunately, this means that even if the automatic connection setup option is enabled, manual intervention is required. How can I completely disable this useless functionality?



This thread was automatically locked due to age.
Parents
  • Hello Michal,

     

    Please check for the following. In the XG WebUI, go to Sophos Connect client Policy page and under Advanced Settings make sure Disconnect when tunnel is idle is not enabled.

     

    Secondly I do not understand this statement "Unfortunately, this means that even if the automatic connection setup option is enabled, manual intervention is required". What manual intervention is required?

    Ramesh

  • Hello Ramesh,

    On the client computer, Sophos Connect has been configured with the autoconnect option enabled. Unfortunately, it has already happened twice that the VPN connection has been deactivated by itself. The Sophos Connect icon was crossed out with a red cross, and notifications of Windows 10 showed "Unstable Internet connection detected, connection has been disabled". Return to normal operation was possible only after manual intervention, that is after clicking the Connect button.
    Because remote access to the client's computer is possible only through the VPN tunnel, and this one does not work, as you can guess it is very annoying ...

    In the Sophos Connect server configuration, the option you are asking for is turned off.

     

     

    I also attach the preview of the Sophos Connect client log.

     

    Regards,

    Michal

  • Hello Michal,

     

    Can you check the system uptime on the gateway? Is it up for a longer time than when this condition occurred? From the logs it seems like the gateway stopped responding and hence the connection was disabled.

     

    Ramesh

  • Hello,

     

    The gateway uptime was 4 day, so this is not the cause. I sent connection logs to priv. 

     

    Regards,

    Michal

  • Sophos Connect can permanently turn off in different situations. All you need is that the Internet will be disconnected for a few minutes. How to make him never go into the disabled status?

     

  • Hello Michal,

     

    Does this happen on random clients and reported by multiple users? Or is it happening from one particular machine only? It is possible there is some other process that could cause the client to send out ESP traffic but the return traffic is blocked.  When there is a one way traffic, the client sends out DPD (Dead Peer Detection) packets. Since it is not getting a response to there, it will timeout and result in the situation you are seeing. How long does it take before the situation happens? You may have to run a packet capture with a filter so when the situation happens we have the data to look into and see the problem first and then see what could be causing that.

     

    Since the connection is configured with Auto-connect enabled (using Sophos Connect Admin), when a internet is disconnected then the client will detect that condition and go to the outage page. As soon as the internet is restored, then the client will automatically reconnect. 

     

    Thank you,

    Ramesh

Reply
  • Hello Michal,

     

    Does this happen on random clients and reported by multiple users? Or is it happening from one particular machine only? It is possible there is some other process that could cause the client to send out ESP traffic but the return traffic is blocked.  When there is a one way traffic, the client sends out DPD (Dead Peer Detection) packets. Since it is not getting a response to there, it will timeout and result in the situation you are seeing. How long does it take before the situation happens? You may have to run a packet capture with a filter so when the situation happens we have the data to look into and see the problem first and then see what could be causing that.

     

    Since the connection is configured with Auto-connect enabled (using Sophos Connect Admin), when a internet is disconnected then the client will detect that condition and go to the outage page. As soon as the internet is restored, then the client will automatically reconnect. 

     

    Thank you,

    Ramesh

Children
  • Hello Ramesh,

    Today, the Sophos Connect service has been turned off twice:
    - the first time during a 20-minute break in Internet access caused by work on the operator's network devices
    - the second time I restarted only the router with which I set up a VPN connection. However, the Internet worked properly.
    Unfortunately, in both cases I had to manually restore the connection.
    Sophos Connect is installed on two computers and both turned off at the same time.

    The scx file configuration has the following entry:
    "Auto_connect": {
    "Name": "10.77.77.254"
    "Required": false,
    "Enabled": true
    }
    Maybe I should change "required" to true? I will also try to set a different IP address for autoconnect checking.

  • Hello Michal,

     

    When you had the 20 minutes break in internet access you should get this outage page. If you just leave it that way, then when the internet access is restored then Sophos Connect will automatically connect. 

     

    This setting is correct. No changes required here.

    The scx file configuration has the following entry:
    "Auto_connect": {
    "Name": "10.77.77.254"
    "Required": false,
    "Enabled": true
    }

     

    Second time when you restarted the router, then Sophos Connect will send DPD packets and after timeout it will try one more time and then give up. In this case you have to manually enable the connection.

    Best,

    Ramesh

  • And here is my problem. The Internet has come back, but the VPN connection has not been established, the app has been in the "disabled" state all the time. It was the same after restarting the router with XG Firewall. In both cases I waited about 10 minutes.

    According to my observations, after switching into the "disabled" state, it is not able to reconnect. This can only be done manually. Hence my question - is there any setting that is able to disable this application behavior? Thank you.

  • Hello Michal,

     

    Can you reproduce the  two problems and then send me the Technical Support Report from the client in a PM. Also let me know what are the times you tried the two issues. Also make sure you are running Sophos Connect 1.2.5.0202 on Windows or if you are using Mac then you should have 1.2.193.0201

     

    Best Regards
    Ramesh

  • We are also having this exact issue.  Case #8793563 has been logged.

     

    Our field devices have cellular (LTE). Our staff has reported that in long periods of transitioning between cellular to wifi/wired (inside our facility) or long periods of disconnects, this event occurs frequently and will not reconnect unless the end-user interacts and manually connects again.

  • Hello Wkeit,

     

    Can you please PM me the TSR from the Client that is having the problems you have mentioned. You can get the TSR from the About page of Sophs Connect Client.

     

    Ramesh

  • Hello,

     

    I checked the logs and I think it the connection is not configured properly. Here is the log I see.

     

    Auto-connect not enabled on for any connections

     

    How are setting up the connection? Are you importing a tgb file or a scx file. Auto-connect can ONLY be enabled if you are using Sophos Connect Admin to enable it. So please check and then let me know.

     

    Best Regards,

    Ramesh

  • You know what, mine is configured to not automatically connect. Apologies, I had made a modification a few days ago.  Attached now is the correct configuration for other staff that is supposed to auto-connect.

     

    Regarding the configuration process - I import the tgb into sophos connect admin, made modifications, saved it and then imported the scx file.2043.scvpntsr.zip

  • Hello WKEIT,

    Sophos Connect 1.3 is released and it is now available via your firewall via pattern update. You can go to System->Backup & Firmware->Pattern Updates and click Pattern update now to  downloaded in case it is not there already.

    Please do let us know how this new version works for you after a week of usage. Looking for feedback from customers for this new release.

    Thank you,

    Ramesh