Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Answers 2 answers
  • Subscribers 43 subscribers
  • Views 8060 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Connect Client 2.2.90, internal DNS name resolution broken, need to reinstall client

LHerzog

Hi,

our Windows 10 users use Connect Client 2.2.90 with the infamous .pro file to tonnect to XG 19.5.2 Firewall with SSL VPN TCP and access internal resources. The SSL VPN clients use the XG firewall as DNS resolver. The XG uses DNS forward rule for our internal Domain to the internal DNS servers.

Unfortunately it is a quite common issue, that the SSL VPN users bother our 1st Level with connectivity issues to some, not all, internal resources.

The workaround is usually to reinstall Connect Client and all is fine then.

Just a few minutes ago, 1st level spent half an hour diagnosing a client issue that could not connect to a single internal server while others were working. User was authenticated, had heartbeat etc. VPN profiles and Group membership were all fine. The client could neither ping or access the single server by other means. It is then like a DNS issue, the ping response is could not find host while other hosts of our internal domain are working also with FQDN, not only IP.

If you ping the IP, it is also working.

My suggestion was again to reinstall the CC client because no other issue was obvious.

After it worked fine.

I suspect the Windows adapter order is at some point messed up and some name resolution is happening on the wrong interface.

Is this a known issue (probably not) and is there a better workaround or fix for the problem?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Vishal_R 

    ifIndex InterfaceAlias                  AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp     ConnectionState PolicyStore
------- --------------                  ------------- ------------ --------------- ----     --------------- -----------
1       Loopback Pseudo-Interface 1     IPv6            4294967295              75 Disabled Connected       ActiveStore
20      Ethernet 2                      IPv4                  1400               2 Enabled  Connected       ActiveStore
4       LAN-Verbindung* 2               IPv4                  1500              25 Disabled Disconnected    ActiveStore
9       Bluetooth-Netzwerkverbindung    IPv4                  1500              65 Enabled  Disconnected    ActiveStore
19      LAN-Verbindung* 1               IPv4                  1500              25 Enabled  Disconnected    ActiveStore
7       Ethernet                        IPv4                  1500               1 Enabled  Connected       ActiveStore
16      WLAN                            IPv4                  1500              25 Enabled  Disconnected    ActiveStore
1       Loopback Pseudo-Interface 1     IPv4            4294967295              75 Disabled Connected       ActiveStore

    7 is the local LAN interface to the router/gateway, 20 is the VPN connection

  • 0 in reply to K-M

    Hi   Thanks for sharing this output, would it be possible to share similar output and information from another system (with a similar OS type) where it works fine to compare both details my side? (Sorry I missed it to request the same from you in my earlier comment)

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • +1 in reply to Vishal_R

    Not necessary. Compared it already. Somehow on the local LAN interface there was the automatic metric disabled and set to 1. So it was always first. Enabled automatic metric now and it is working. Thanks for pointing it out, will put in the case and close it.

    We have to take a look at this device class. Maybe this setting is set while installing the device driver as it is kind of new in our environment. 

  • 0 in reply to K-M

    Hi   Thanks for the resolution update for community users' reference and I am glad you managed to figure it out with the above command hint and output.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to K-M

    Hey  , Thanks for the update, that was the suggested answer earlier on this thread !

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Yep, but it was a helpful hint to get a fast overview via powershell. Also read the KB article from Microsoft so that it is now much more clear how this system acts. Didn't get that entirely before.

Unfiltered HTML