weird behavior that I expect not a VPN problem but need to ask

Hi JohnAdamski 

Thank you for providing in-depth details of the issue.

Are you facing this issue with all the VPN users?

Which VPN are you using to connect and edit the file on the Linux server?

Most of the users that VPN do not need to edit files on the Linux server (our ERP).  But a few of the ones that do have contacted me on this.  So a small portion of all VPN users are affected, but it does seem all of the ones that edit files are having this problem. 

We are using the Sophos VPN from the Sophos firewall.  I'm not the main firewall admin, but am the main admin for the ERP and all Linux servers.  that's why I got this question to resolve. :-)

I've taken a laptop and connected to inside with a local copy of editor and tried modifying file, works. Then connect laptop via VPN and bad things happen to file. 

Again I don't think is VPN but from surface that is the only difference.

john

Hi JohnAdamski 

I understand your concern, but if you could collect the details from Firewall admin, regarding VPN Connection type and firewall rules created to allow VPN traffic, we can have further idea to narrow down the issue. We do not have a history of such reported issue from the customers from the field, Information will help us to assist you better.

the network admin busy right now. so your stuck with me.

we are using ssl vpn on XG firewall ver. XG450 (SFOS 17.5.9 MR-9)  in active-passive (we have 2 devices)

One firewall rule that allows vpn traffic in, allows any services, everything else on the setup looks default.

the network admin busy right now. so your stuck with me.

we are using ssl vpn on XG firewall ver. XG450 (SFOS 17.5.9 MR-9)  in active-passive (we have 2 devices)

One firewall rule that allows vpn traffic in, allows any services, everything else on the setup looks default.

Hi JohnAdamski 

We will need to review the firewall rules to see if there is any protection put in place on that rule.  It is possible that the AV scanner or IPS/ATP could be causing trouble with the file.  However without knowing the rule configuration, it will be a best-guess answer.  

You can try use another VPN either by using Sophos Connect Client or the L2TP setup.

Thanks.

the rule looks like this  - changed things like network to show 10.xxx rather than our true values for security reasons.  other than things like that is the rule configuration. to me looks mostly a default setup for a rule.

Rule name: vpn-xxx
Description:
Rule group: None

Source Zones: VPN TYPE=VPN DeviceAccess=Ping/Ping6, HTTPS, Wireless Protection, User Portal, SNMP
Source networks and devices: Any
During scheduled time: All the time

Destination zones:
Lan Members=Port1, Port10, Port9, Port_Chan1, Port_Chan1.15 Type=LAN DeviceAccess=Ping/Ping6, HTTPS, SSH, DNS, Captive Portal, Radius SSO, Wireless Protection, SSL VPN, Web Proxy, User Portal, Client Authentication, SMTP Relay, SNMP, Chromebook SSO
Academic Members=Port2.79 Type=DMZ DeviceAccess=Ping/Ping6, DNS, SSL VPN, Web Proxy, User Portal, SMTP Relay, SNMP

Destinstiaon networks: 10.xxx/16, 10.yyy/16, 10.zzz/16
Services: Any

Match know users - unchecked

Scan HTTP - unchecked
Decrypt & scan HTPS - unchecked
Scan FTP for malware - unchecked

Intrustion prevention: generalpolicy
Traffic shaping policy: None
Web Policy: None
Apply web-category-based traffic shaping policy - unchecked
Application control: None
Apply applicatio-base traffic shaping policy - unchecked

Minimum source HB permitted: No restriction
Minimum destination HB permitted: No restriction

Rewrite source address - unchecked
primary gateway: None
DSCP marking: Select DSCP marking

Hi JohnAdamski 

Thanks for that information.

You do have IPS configured on the rule.  You could try without IPS to see if that helps at all.

You can review this KB article that may help you rule out the firewall:  https://community.sophos.com/kb/en-us/127189

Thanks!

Our network admin says we need IPS, but is willing to temporarily off for testing.  will do that in next day or so.  he was not hopeful that would be the cause.

Late Friday the Network Admin turned off IPS and I tested.  I was able to modify the file and save it without corrupting the file.  he turned IPS back on and said he would work with me later to figure out what is causing the problem when IPS is on. 

will be a week or so as he on vacation now.

john

Hi JohnAdamski 

Glad you were able to narrow it down.

You may have to create a custom IPS policy using signatures that are pertinent to your environment.  So if you are not running any linux servers, do not choose linux IPS patterns to use. 

Please do keep us updated.

Thanks.

The network Admin has a few minutes to do some more testing this morning and he things the text editors are trying to do something over port 445 when saving the file.  He ran out of time and did not get further. Said that port 445 sounds like it should be blocked.

So that's the latest.

john

Hi JohnAdamski 

Port 445 is the CIFS port, aka SMB/file sharing.

It is possible that IPS is blocking it due to running of older SMB version on your network.  If you remove all IPS policies that state "SMB", then it should work.

Thanks!

Yes our ERP server still needs smb1, we been waiting for the provider to figure out how to run on suse 15. they missed two proposed release dates for the update.

I will pass this on to my network guy.

john

Network admin made ips rules for VPN to allow smb1, we tested again and still failing. 

probably time to open trouble ticket with Sophos.

john