Hi to all of you.
I have two Sophos XGS 136 in HA (active / passive); the firmware version is SFOS 18.5.3 MR-3-Build408.
IT infrastructure consists on:
All servers (Host and VM) and clients are on the same subnet
I have configured user authentication via active directory on Sophos XG; users access via VPN SSL using them AD credentials and they are able to reach all the devices on the network (PC clients, NAS, networks printers, access point, or the Hyper-V Host server), but not the Domain controllers VM!
On the firewall, Active Directory Server authentication was originally set with "Plaintext" connection security, but in this moment is set with SSL/TLS connection security (and the Test connection works).
There's no way to reach DCs: ping, rdp session, shares browsing on file server, etc always fail, but If I make the same tests to the Host Server, they perfectly work.
DCs are not reachable also if I try to connect using SSL VPN local user of the Sophos XG
If Host Server and VMs are on the same subnet (10.0.0.0/24), can the problem be a bad traffic rules configuration?
PS: To exclude that it is a Hyper-V problem, I installed a Windows 10 VM on the Hyper-V Host server and It's perfectly reached from SSL VPN userPPS: Having a Qnap NAS at my disposal, I enabled OpenVPN server on it; in this case SSL VPN (qnap) users can perfectly reach DCs servers.
Can you help me to solve this big problem? Thanks for your support!
A quick peek at your "dumpvpncli" pcap shows what I assume would be your DCs at 10.0.0.201 and 10.0.0.202 repeatedly doing an ARP request for 10.81.234.6. This leads me to believe that the traffic from…
Broadcast Domains (Same subnet) traffic is likely be reachable directly. That means, the firewall is not involved.
The client from 10.0.0.10 will send directly the traffic to 10.0.0.1. The firewall will never see this traffic. If the SSLVPN is not working as well, it is likely a network problem within your hyper-v / Server.
__________________________________________________________________________________________________________________
The problem is only from SSL VPN. SSL VPN clients are not on the subnet 10.0.0.0/24, they are on 10.81.234.0/24.No problems tryng to access the DCs from a PC client inside the network or accessing from outside using Qnap NAS SSL VPN instead of Sophos SSL VPN.
None can help me?
Hello,
You should do a tcpdump on the traffic arriving from the SSL VPN client, first to confirm the traffic directed to the DCs is actually making it to the tunnel, then do another TCPdump on the Interface where the traffic is meant to exit (Interface where the DC connects to) see if the XG is sending the traffic out, if you see this is correct and don't see a reply back from the DC most likely your Hypervisor or VM is doing something with the traffic, most likely might be the Local Firewall of the DCs blocking traffic not coming from the same subnet.
Regards,
Thanks for your support! Today I will try to use TCPdump (I have never used it before).However I want to inform you that I have already tried:1. turn off DC's firewall and antivirus -> nothing has changed2. install a Windows 10 test VM on the same Hyper-V host -> all services work (ping, rdp, shared browsing)3. Setup OpenVPN server on Qnap NAS -> DC servers are perfectly reachable from SSL VPN on Qnap
emmosophos said:Hello, You should do a tcpdump on the traffic arriving from the SSL VPN client, first to confirm the traffic directed to the DCs is actually making it to the tunnel, then do another TCPdump on the Interface where the traffic is meant to exit (Interface where the DC connects to) see if the XG is sending the traffic out, if you see this is correct and don't see a reply back from the DC most likely your Hypervisor or VM is doing something with the traffic, most likely might be the Local Firewall of the DCs blocking traffic not coming from the same subnet. Regards,
I connected using SSL VPN, I launched tcpdump on the firewall, and I tried to connect to the DC server via RDP
This is the TCPDUMP to the Firewall Lan IP --> www.dropbox.com/.../dump_lanfire.pcap
This is the TCPDUMP to the client connected via SSL VPN --> www.dropbox.com/.../dumpvpncli.pcap
This is the TCPDUMP to the DC Server --> https://www.dropbox.com/s/3ip4zg9j8dvcqh9/dump_dcsrv.pcap?dl=0
I'm not able to read them :-( Could you please analyze them for me?I also noticed that using the command pscp.exe -scp admin@10.0.0.254:/tmp/data/dumpvpncli.pcap c:/pscp I got: FATAL ERROR Network error: Connection timed out The strange thing is that that I was perfectly able to ping the firewall lan ip (10.0.0.254) or open its administration page.
In order to download the pcap files, I had to connect with the VPN of the Qnap NAS!.
Please add the files a ZIP file an upload directly into the thread, I can't open external links.
Insert >> Image/Video/File >> Upload >> A new window will open >> Search your file >> Open >> OK
Hi Emmanuel. So sorry for this delay, but I had some personal problem..I uploaded the ZIP file. Thank you very much!0243.tcpdump.zip
do both DC's use the firewalls internal network interface as their default gateway?
Can you ping the DC's from the SSL-VPN?
Mit freundlichem Gruß, best regards from Germany,
Philipp Rusch
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Yes, both DC are using Sophos firewall's Lan interface as default gateway; no, I can't ping them. I also tryed to start a lan scan with Advanced IP Scanner from my client connected on SSL VPN: all lan nodes are present except for the 2 DC.If I start the same lan scan from an internal PC (directly connected to the Lan), both the DC servers are found