Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR2: Feedback and experiences

Release Post:   Sophos Firewall OS v19.5 MR2 is Now Available  

The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 



This thread was automatically locked due to age.
Parents
  • We were waiting for the SSL VPN routing problem with static IP assigned to the client to be solved with MR2. Unfortunately it still is not solved. It got worse instead. After assigning a static SSL VPN IP to one client it cannot access the LAN network anymore. Connection is established but no traffic to LAN is possible. If we remove the static SSL VPN IP from the user everything works fine. But we need static IP so we can access the device from the LAN on FQDN. With MR1 we had the problem that the device could access the LAN with static IP assigned but traffic from LAN to the connected device was not possible because of routing problem in the XGS. Does anybody have the same problem and is there a solution? The issue ID for this is NC-114163.

  • Hi Enrico - We tried to reproduce this issue in our lab, both on VM and XGS. We see that the traffic is passing from the client static ip to the LAN and vice-versa. We dont see any problem.

    We would like to take a look at your setup. I will DM you, to check if we can get the Access ID

  • Hi   - We had a discussion on this issue internally. Can you please disable this "any" "any" rule(3rd rule in the list) from the SDWAN routes ? It should solve your problem.

  • After disabling the SD-WAN route the Static IP SSL VPN works good. Traffic is routed correctly from VPN connected device to LAN and from LAN to the VPN connected device with the static IP. It's still strange why this is no problem on dynamic IP's with SSL VPN connected devices.

  • Hi  

    When SSLVPN is configured with a static IP address, SSLVPN service sets nfmark mark on SSLVPN tun interfaces.

    ip link set tun0 nfmark 0x300

    ip link set tun1 nfmark 0x301

    Note: Based on the number of OpenVPN instances SSLVPN service will have an equal number of tun interfaces.

    So if SSLVPN static IP connections have a matching SDWAN route then the 0x300 mark is overridden by the SDWAN route, which causes SSLVPN connections to send traffic on the SDWAN gateway instead of the tun interface.

    Where as for SSLVPN dynamic ip, when we assign the Dynamic IP to the user, we provision the route on the client, which is in the same network as tun interface. Hence there’s no issue w.r.t the traffic.

Reply
  • Hi  

    When SSLVPN is configured with a static IP address, SSLVPN service sets nfmark mark on SSLVPN tun interfaces.

    ip link set tun0 nfmark 0x300

    ip link set tun1 nfmark 0x301

    Note: Based on the number of OpenVPN instances SSLVPN service will have an equal number of tun interfaces.

    So if SSLVPN static IP connections have a matching SDWAN route then the 0x300 mark is overridden by the SDWAN route, which causes SSLVPN connections to send traffic on the SDWAN gateway instead of the tun interface.

    Where as for SSLVPN dynamic ip, when we assign the Dynamic IP to the user, we provision the route on the client, which is in the same network as tun interface. Hence there’s no issue w.r.t the traffic.

Children
No Data