Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 38 subscribers
  • Views 1698 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Old Ipsec VPN automatically populates in sophos connect client after switching to SSL VPN

Brian Straka

So I have kind of a weird one.  We were using IPSec for endpoint user VPN access and we recently switched to SSL VPN.  We are using the Sophos Connect 2.1 client and created a brand new .pro file for the SSL VPN connection.  We turned off IPSec remote access on the FW.  Whether you delete the old config file in the sophos connect client or are a new user being set up.. once you connect to the SSL VPN, it somehow populates the sophos connect client with the old IPsec VPN configuration as well.  I feel like this has something to do with how the sophos connect client uses the end user portal on the back end. I am not sure how to get it to stop automatically pulling down a config that is turned off.  

Upon reboot of the PC, the sophos connect client has the IPSec connection (currently disabled on the FW) in the first position and the SSL VPN connection in the second position so users automatically connect to the incorrect connection. 

It is causing a support headache and I am really confused at how these devices are "pulling down" a config as it is not my understanding of how this sophos connect client works....

Any assistance or insight on how to stop this would be really appreciated!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Did you remove the user from the IPsec remote access profile before using the new .pro file?

    The Sophos Connect provisioning file (.pro) file allows you to provision IPsec and SSL VPN connections by connecting to the user portal. If the user belongs to both IPsec and SSL VPN, Connect Client will automatically import the IPsec remote access (.scx), and SSL VPN remote access (.ovpn) configuration files into the Sophos Connect client on users' endpoints.

    Thanks,

  • 0 in reply to FormerMember

    The Open Group had the IPsec Profile assigned and that may have been causing the issue.  I disabled and am having some users test.  Thanks for the help, I will follow up soon with results. 

  • 0 in reply to Brian Straka

    We tested by making sure all profiles are removed from all users and groups and we are still getting this connection pushed upon disconnecting the SSL VPN. The issue is that this disabled connection becomes the first one in the list and users can not differentiate between the SSL VPN connection and the IPsec connection which is again... disabled everywhere I can see.

  • 0 in reply to FormerMember

    Just wanted to bump this thread because the issue is not resolved with your suggestions. Thanks!

  • FormerMember
    0 FormerMember in reply to Brian Straka

    Hi ,

    Could you please try to restart the SSL VPN service for testing? Let me know if restarting the SSL VPN service with the following command helps resolves this issue: 

    Connecting to the Advanced Shell

    1. To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
    2. Select option 5 Device Management.
    3. Select option 3 Advanced Shell.

    service sslvpn:restart -ds nosync

    If restarting the sslvpn service doesn't resolve your issue, open a support case at support.sophos.com for in-depth troubleshooting and send me the case number via personal message to help with the case follow-up. 

    Thanks,

  • +1

    You need to "Reset" the config of IPsec to disable the IPsec auto provisioning. 

     "RESET" should do the job.
    e.g.
    a. configure SSL (user X) /IPsec(user Y)
    b. User .pro file for user "X". you will get both config SSL/IPsec
    c. Do ""The "Reset" button under VPN -> IPsec (remote access)"" Now again use .pro file and see if you get both config or single only SSL

    __________________________________________________________________________________________________________________

Unfiltered HTML