Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 2131 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SSL VPN Dishing Out Same IP to Multiple Users

tallwood6

So we are having an issue whereby:

  1. Every time a client disconnects and reconnects over the SSL VPN using Sophos Connect they are getting a new IP address (not sure if this is expected behavior)?
  2.  Sophos is giving the same IP to multiple users / workstations often in the same day leading to multiple DNS enteries for the same IP for different laptops creating all sorts of issues.

Any advice on expected behavior and how to resolve short of setting a really short aging and scavenging cycle in DNS which is less than ideal?



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    This is expected behavior as the DHCP is handled by a different service than the real DHCP, you can however set a static IP for the Sophos Connect Client users under Configure >> Authentication >> Users >> XXXXX >> SSL VPN Policy >> IPsec Remote Acess, and set one IP from the range of IPs you use for Sophos Connect.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Tried this and for SSL on the sophos connect client this doesnt work. I assume given that it says IPsec remote access IP it applies only to IPsec remote tunnels rather than SSL and there is no ability to set a static for this at a per user level currently?

  • 0 in reply to tallwood6

    Hello there,

    My bad, I skipped the part about the Sophos Connect, yes currently there’s no way to set a static IP per user Level for SSL VPN.

    I am not sure though if this KB would work for you as a workaround.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    I'm afraid that workaround is not really salable to more than one user. 

    Bit odd that given how crucial client VPN access is quite how lacking the XG is in terms of configurability and the disjoint of features shared and not shared between IPSEC and SSL very disapointing having moved from watchguard to this.  

  • 0 in reply to emmosophos

    Confirmed with Support that the default behaviour for the SSL VPN [assume the same for IPSEC] is that as soon as a user drops / disconnects that IP is then made available to the next client that connects. There is no lease time set for IP addresses dished out via the SSL VPN and no means of setting a lease time on the backend. We have had to set a short DNS scavenging time to avoid issues.

    To me this is an issue that needs resolving even our old and pretty rabbish watchguard let us set a lease time for IP addresses dished out via IP sec and SSL and I cant believe that others are not seeing a similar issue.

  • 0 in reply to tallwood6

    Hello there,

    Thank you for the feedback as mentioned this is expected at the moment when using SSL VPN, you can, however, use Sophos Connect (IPsec) to achieve the static IPs. 

    The SSL VPN static IPs is targeted for v19

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
Unfiltered HTML