Cannot access intranet websites over VPN.

Question

We are using OpenVPn on our Sophos firewall. Yesterday I upgraded from SFOS 18.0.5 MR-5-Build586 to SFOS 19.0.0 GA-Build317. 
 We have a number of intranet websites running in docker containers on a single server. After the upgrade they are fully accessible through the intranet, the server and docker containers are all up and running fine. 
 Before the upgrade, the intranet websites could all be accessed over OpenVPN. After the upgrade they cannot. 
 The logs report that the relevant firewall rule is working fine and allowing access. They show 1 packet incoming and 1 packet outgoing on the connections. 
 Using wget to test the website, I get the error "Connection refused." 
 TCP dump on the docker server shows no packets at all. 
 PCAP on the firewall shows a SYN packet incoming and an RST packet outgoing. 
 The problem happens with both port 80 and port 443 connections. 
 All other OpenVPN traffic is fine (ping, SSH, VNC). 
 
 Does anyone have any clues?

RickardNordahl · Accepted Answer

Can you try one more thing, the rule that handles the internal resources, can you create a rule above for only the Intranet server and set it to use proxy instead of DPI an see if that works, come to think of it that is another workaround we did on another firewall, it worth a shoot. 
 //Rickard

Dynautics IT Admin · Answer

Rickard, I love you, please have my babies. 
 The firewall rule for inbound VPN already had the "Use web proxy instead of DPI engine" option checked. I unchecked it and now it works perfectly! 
 
 Thankyou, so much.

Alok · Answer

can you check your firewall rule for allowed host? there is a change in the SSLVPN lease IP range during migration and if firewall rule is not tuned accordingly you may see resource access issue for certain users. 
 https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/132121/ssl-vpn-ipv4-lease-range-changes-in-sfos-v19

Cannot access intranet websites over VPN.

Top Replies