Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 3 answers
  • Subscribers 40 subscribers
  • Views 4063 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assigning static ip to SSL VPN users results in Authentication failed when switching networks

Lars Holte

Just upgraded from 19.5.0 GA-Build197 to 19.5.1 MR-1-Build278 in hopes that this would be resolved.

The issue is mobile phones are unable to reconnect the SSL VPN when they roam between different networks, eg from a local wifi to mobile isp and vice versa.
This only happens if the user is assigned a static ip.
If i force disconnect the connection in Current activities -> Remote users, the user is able to connect again immediately.

If i remove the static assigned ip from the user, the user can roam ok between different networks and the Current activites -> Remote users now shows the user with more than one connection (with different source ip's).

My Ip/networks are:
192.168.88.0/24 - LAN
192.168.99.0/24 - SSL VPN
192.168.99.128/25 - SSL VPN Static ip range
192.168.99.130 - User assigned ip

The error and log on the phone:
Mobile error and log

SSLVPN global policy:
SSLVPN Global policy

SSLVPN policy:
SSL VPN policy

A user:
User

After the upgrade to the latest version there are now logs of these failures:


Is there any way to fix this, or is this a bug?



This thread was automatically locked due to age.
  • 0

    This seems to be related to this Bug: 

    NC-101947 SSLVPN:Static IP, with UDP, 2nd attempt of tunnel establishment auth_fails as ip address is not released when previous tunnel is disconnected

    Workaround could be to move to TCP instead UDP. This would mean to roll out SSLVPN again. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you for that find. I checked the Sophos Known Issues list before posting and i did not see that bug, and i still dont see that after selecting "Sophos Firewall". Where did you find the NC-101947?

    Unfortunately TCP has the same issue. Log also reports the same "User [username] failed to login to SSLVPN through Local authentication mechanism because of ip lease failed"

    I will remove the static ip's for now and wait for a fix.

  • 0 in reply to Lars Holte

    Hi Lars,

    It's missing in KIL and will get it updated soon. If you are facing issues with TCP as well. I will suggest to open support investigation ticket.

    Let us know the case ID and will track it from my end.

    -Alok

  • 0 in reply to Lars Holte

    We replicated the same scenario and saw similar behavior in the house when switching between Wi-Fi to mobile data network, as the earlier connection does not get torn down gracefully or abrupt switch the network.

    You can set 60 sec timeout at Global level to overcome this problem quickly, as after this inactivity session will be cleared and new connection will get through. 

Unfiltered HTML