Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR2: Feedback and experiences

Release Post:   Sophos Firewall OS v19.5 MR2 is Now Available  

The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 



This thread was automatically locked due to age.
  • Hey Jason, 

     Glad to know that the problem is resolved on your end. Agree its annoying when things start working w/o changes/ root causing. Feel free to reach out in case you run into the issue again. Also, you now have the debugging tips which I hope will be handy for any problems in future.

    Thanks,

    Avinash

  • Problem has been solved. In my case the root cause was the SD-WAN Route and its Traffic Selector where source network 172.16.255.0/24 and destination network object 'Any' were used in policy for traffic to the Internet.

    After replacing the source network with system object '##ALL_SSLVPN_RW’ and replacing the destination network 'Any' with 'Internet IPv4 group’ it started to work properly. Finally only the traffic to Internet is routed to the gateway and return traffic is reaching the static IP VPN client via tun1 interface.



    edit
    [edited by: MarekDalke at 8:49 PM (GMT -7) on 23 May 2023]
  • Just to follow this up. We updated to 19.5.2 and still had the same problems. We then engaged Sophos Support to join us on a support session the next morning and everything worked perfectly. It turned out that 19.5.2 did actually fix the issues with 19.5.1, but the morning we tested the upgrade, the ISP had a major outage which fairly closely mimicked the issue we were having with 19.5.1 so it appeared that the issue was still occurring.

  • You shouldn't have to postpone updates. You can keep the WAN access to the user portal with an ACL rule like this:

    Or even better, if you know that VPN access only comes from specific countries, lock down the Source Network to only those countries.

  • I'm curious if that won't be overwritten.

  • No, ACL rules won't be overwritten, even if User Portal is not actively being used on WAN. 

    However as others have said, keeping User Portal or Admin open on WAN when not required/in use is a security risk, and not recommended.

  • Good to hear. It is necessary for VPN provisioning. In some environments, the user portal is also used for clientless access connections, so turning it off is out of the question.

  • ALso a SD-WAN issue here:

    With MR1, all works, we are routing all traffic between two Sophos Firewalls with RED tunnel with this policy:

    With MR-2 all trafiic is being blocked thus not using the route.

    We have reverted back the firmware this morning, but will try later with other options.

    Any suggestions? :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Hello Martin,

    Do you have "drop packet capture" logs of traffic being blocked?

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • Hi, beecause the fw got restarted.

    As with UTM, is there not any way of getting the traffic log files out, ex. for the last day?

    Local logging is enabled, but cannot find any data in the /log dir.

    We do no have syslog server implmented here.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician