Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 38 subscribers
  • Views 3969 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLVPN random DNS issue

Thinksurance GmbH

I have an issue with SSLVPN where accessing DNS ressources sometimes doesn't work, but usually  it does.

Let me explain:

You connect to SSLVPN, routes are set, you can ping the IP of our internal fileserver 10.0.3.20.

You can nslookup the DNS name, e.g. "fileserver.thinksurance.local" and it will show 10.0.3.20.

But when you "ping fileserver.thinksurance.local", there is no way of establishing a connection.

Either ping, trying to access the fileshares, RDP or whatever doesn't work with the DNS, only using the IP works in that scenario.

It is happening on our Sophos XG since forever, I tried multiple firmware versions (from 18.0.5 MR-2 up until MR-5-Build586).

It's affecting Windows 10 clients using either Sophos SSL VPN client and Sophos Connect, but also MacBooks with Tunnelblick.

Fixing the issue requires sometimes a re-connect but usually an enitre reboot of the client.

ipconfig /flushdns, reconnecting their WiFi etc. has no effect.

There are also no GPO's or anything special on those clients, and of course no GPO's on the MacBooks.

I tried SSLVPN with TCP and UDP, tried having the XG as DNS (with the IP of the FW added in the "Permitted network resources" of course)
Our DNS servers are our domain controllers running Windows Server 2019 (10.0.3.10, 10.0.3.11).

Current settings:

Compression is disabled (had issues with MacOS with that)

Internally, where our XG is also the gateway between clients and our servers, we have no issues at all.

There is also no firewall rule denying any traffic, it is VPN to LAN and ANY port, no IPS, AV, Application Control or anything running on that rule, only logging is activated.

The rule has as source network "SSL VPN - 10.0.33.0/24" and destination "VLAN 3 - VMs / Applications - 10.0.3.0/24"

"Match known users" is active and the correct group is added.

Sophos Support told me to use "use as default gateway" and closed my ticket. But I don't want everybodys videocalls going through our firewall which is extremely unneccessary and we also don't have the bandwith for that.

Honestly I also don't see why... it usually works for the majority.

Here is the remote access group:

Disconnect idle clients is active and default 15 minutes.

The firewall itself uses DNS 1 - 10.0.3.10 and DNS 2 - 10.0.3.11, I also set up a DNS request route for thinksurance.local to 10.0.3.10 and 10.0.3.11

But nothing helped so far, but the XG is also not used for DNS, so there was no hope.

Our clients are Lenovo Notebooks (T460, T480, T490 and T14) all with the latest Windows Updates and WiFi drivers etc. installed.

Also MacBooks (MacBook Pro 2020 with Intel) and recently I had that issue with my MacBook Air with M1.

Please, if you have any idea what else I could check, let me know.

I had the exact same setup at another company and never any issues, but we were running XG version 17.X.

But I also don't think that this is an issue from version 18. This firewall has been upgraded from 17.X to version 18 when it released  though.

Regards,

Pascal



This thread was automatically locked due to age.
Unfiltered HTML