Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

hen the VPN is connected with firewall just the local application/network should be accessible.

SSL VPN is used as full tunnel and the requirement is when the VPN is connected with firewall just the local application/network should be accessible.

  • Checked the configuration and it was proper
  • NO VPN to WAN rule was present hence the WAN traffic was being dropped as expected.
  • All websites and pings were dropping on the firewall as expected.
  • The issue we are facing is that on telegram application we are still able to send and receive messages.
  • Any download or upload is not working, just messages are working.

 

  • Telegram itself is not pinging or telnetting.
  • Nslookup also not working.
  • Checked routes on the machine itself.
  • Tracert also ended on the VPN interface itself.
  • Created a VPN to ANY drop rule on the firewall and chedked again.
  • Still we were able to send and receive messages.

 

  • Found an IP-address (149.154.167.197) which is used for telegram messenger and I was able to telnet it.
  • The same IP is not pingable.
  • Took capture while pinging the IP and it was dropping as expected.
  • While telnetting it was taking the same rule but it was showing that the tun7 itself was replying.
  • In TCPdump also observed the same.
  • Took Conntrack entries and there was no out interface and rule also it was taking proper.
  • Took capture on port 443 itself to see if the packets were being NATted anywhere and there too in capture it was showing directly tun7 replying.
  • Checked routes on the firewall itself.
  • From firewall itself the IP was showing route behind WAN.


This thread was automatically locked due to age.
Parents
  • Hi  Thank you for reaching out to the Sophos community team. As of now I suspect or assume Firewall side rule settings are proper only and no allow rule there then another possible reason could be the Telegram connection/session was already active before the SSL VPN was connected, due to that the application traffic will continue using that previous route instead of the default route over the tunnel adapter.

    Maybe you can wait for a few min. 10-15 minutes to see if that route cache expires OR You may run arp -d (In end machine) from the command prompt after the SSL VPN tunnel is established. Then see if the Telegram application sends and receives messages fails.

    Please note the SSL VPN will not tear down the existing session of the end machine.

    You may narrow down the issue/situation further as per below to validate on this:

    1)Please ensure all sessions of the Telegram application are closed on the machine. From the same machine connect SSL VPN and post this procedure start the Telegram application.

    ->In this test case, Please confirm Telegram application sends and receives messages working or not.

    2)Please ensure SSL VPN is in a disconnected state in the machine and Open the telegram application and wait till it's getting connected to the server. Now, connect the SSL VPN, and confirm the application can send and receive messages.

    If Point 1) test case is preventing the Telegram Application connection ( send and receive messages) all the time then it is expected as you have not allowed VPN to WAN traffic over Firewall.

    If Point 2) test case matches your scenario then as mentioned above SSL VPN will not tear down the existing session and due to that it is expected active connection will work as it is from the system default adapter (LAN/WiFi).

    For packet-related details, You may install Wirehshark on to end machine and open two Wireshark sessions in the machine 1) one session for capturing traffic on the default interface (LAN/WiFi) and 2) the second session for capturing traffic over the SSL VPN adapter.

    You may validate traffic for Telegram passing through which adapter during the above test cases.

    Note: You may also check "Local Address" details under the Windows Resource Monitor > Network > TCP Connection during the above test to see from which local address the app is connected to the server.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hi  Thank you for reaching out to the Sophos community team. As of now I suspect or assume Firewall side rule settings are proper only and no allow rule there then another possible reason could be the Telegram connection/session was already active before the SSL VPN was connected, due to that the application traffic will continue using that previous route instead of the default route over the tunnel adapter.

    Maybe you can wait for a few min. 10-15 minutes to see if that route cache expires OR You may run arp -d (In end machine) from the command prompt after the SSL VPN tunnel is established. Then see if the Telegram application sends and receives messages fails.

    Please note the SSL VPN will not tear down the existing session of the end machine.

    You may narrow down the issue/situation further as per below to validate on this:

    1)Please ensure all sessions of the Telegram application are closed on the machine. From the same machine connect SSL VPN and post this procedure start the Telegram application.

    ->In this test case, Please confirm Telegram application sends and receives messages working or not.

    2)Please ensure SSL VPN is in a disconnected state in the machine and Open the telegram application and wait till it's getting connected to the server. Now, connect the SSL VPN, and confirm the application can send and receive messages.

    If Point 1) test case is preventing the Telegram Application connection ( send and receive messages) all the time then it is expected as you have not allowed VPN to WAN traffic over Firewall.

    If Point 2) test case matches your scenario then as mentioned above SSL VPN will not tear down the existing session and due to that it is expected active connection will work as it is from the system default adapter (LAN/WiFi).

    For packet-related details, You may install Wirehshark on to end machine and open two Wireshark sessions in the machine 1) one session for capturing traffic on the default interface (LAN/WiFi) and 2) the second session for capturing traffic over the SSL VPN adapter.

    You may validate traffic for Telegram passing through which adapter during the above test cases.

    Note: You may also check "Local Address" details under the Windows Resource Monitor > Network > TCP Connection during the above test to see from which local address the app is connected to the server.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children
No Data