Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Answers 2 answers
  • Subscribers 43 subscribers
  • Views 8067 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Connect Client 2.2.90, internal DNS name resolution broken, need to reinstall client

LHerzog

Hi,

our Windows 10 users use Connect Client 2.2.90 with the infamous .pro file to tonnect to XG 19.5.2 Firewall with SSL VPN TCP and access internal resources. The SSL VPN clients use the XG firewall as DNS resolver. The XG uses DNS forward rule for our internal Domain to the internal DNS servers.

Unfortunately it is a quite common issue, that the SSL VPN users bother our 1st Level with connectivity issues to some, not all, internal resources.

The workaround is usually to reinstall Connect Client and all is fine then.

Just a few minutes ago, 1st level spent half an hour diagnosing a client issue that could not connect to a single internal server while others were working. User was authenticated, had heartbeat etc. VPN profiles and Group membership were all fine. The client could neither ping or access the single server by other means. It is then like a DNS issue, the ping response is could not find host while other hosts of our internal domain are working also with FQDN, not only IP.

If you ping the IP, it is also working.

My suggestion was again to reinstall the CC client because no other issue was obvious.

After it worked fine.

I suspect the Windows adapter order is at some point messed up and some name resolution is happening on the wrong interface.

Is this a known issue (probably not) and is there a better workaround or fix for the problem?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LHerzog

    we have the same problem but even reinstalling doesn't change this behavior on one client. Tested an older version which we were used to (really old version 2.0) and this one didn't work either. Case is opened 06942862.

  • 0 in reply to K-M

    Hi K-M,

    Thank you for sharing your case ID, will put a note on and further monitor this.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    thanks for the fast reply. There is another case which maybe corresponds to it. The changing of the DNS servers seems to be broken, too. If there are already DNS servers in the connection they will not be replaced but cumulated with newer ones: 06942846

  • 0 in reply to K-M

    Hi   For this other case ID - 06942846 I checked your shared information and that is related to "Connect client appends DNS addresses instead of replacing them". This is known to the Sophos Dev team and is going to be fixed with Sophos Connect 2.3 with ID NCL-1383.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Very bad information, when will this release be?

    Because we now have many clients where we have to change the DNS server by hand now. That is nearly impossible...

    Maybe you have a beta for us?

    And you should tell the supporter because he has no clue about it... Don't know why nobody seems to check the internal database for this.

  • 0 in reply to K-M

    Hi   I have already added an internal note on the shared case (06942846 ), regarding the release date info we will check with our team and update you on the case. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • +1 in reply to K-M

    Hi   As per the shared information for case ID 06942862 - this is only getting observed for one client, For that machine would it be possible to share the below output from Powershell (with Run as administrator) during an issue time to validate all other interfaces' status and priority in the same machine:

    >Get-NetIPInterface

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R 

    ifIndex InterfaceAlias                  AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp     ConnectionState PolicyStore
------- --------------                  ------------- ------------ --------------- ----     --------------- -----------
1       Loopback Pseudo-Interface 1     IPv6            4294967295              75 Disabled Connected       ActiveStore
20      Ethernet 2                      IPv4                  1400               2 Enabled  Connected       ActiveStore
4       LAN-Verbindung* 2               IPv4                  1500              25 Disabled Disconnected    ActiveStore
9       Bluetooth-Netzwerkverbindung    IPv4                  1500              65 Enabled  Disconnected    ActiveStore
19      LAN-Verbindung* 1               IPv4                  1500              25 Enabled  Disconnected    ActiveStore
7       Ethernet                        IPv4                  1500               1 Enabled  Connected       ActiveStore
16      WLAN                            IPv4                  1500              25 Enabled  Disconnected    ActiveStore
1       Loopback Pseudo-Interface 1     IPv4            4294967295              75 Disabled Connected       ActiveStore

    7 is the local LAN interface to the router/gateway, 20 is the VPN connection

  • 0 in reply to K-M

    Hi   Thanks for sharing this output, would it be possible to share similar output and information from another system (with a similar OS type) where it works fine to compare both details my side? (Sorry I missed it to request the same from you in my earlier comment)

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • +1 in reply to Vishal_R

    Not necessary. Compared it already. Somehow on the local LAN interface there was the automatic metric disabled and set to 1. So it was always first. Enabled automatic metric now and it is working. Thanks for pointing it out, will put in the case and close it.

    We have to take a look at this device class. Maybe this setting is set while installing the device driver as it is kind of new in our environment. 

Unfiltered HTML