Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS: random disconnects for SSL VPN clients

Hi,

for some reason every SSL VPN client is quite randomly disconnected from the SSL VPN server (Sophos XGS87w): sometimes after only a few minutes, mostly between 15 and 20 minutes. Running a ping from the client side to a machine in the server network does not help to keep the connection alive. The VPN connection works fine as long as it is connected, though. The client is assigned the correct static IP address.

Here are some additional details:

- firmware: SFOS 20.0.0 GA-Build222

- the Sophos XGS is located behind a DSL router, the interface port 1 (of the Sophos FW) is the LAN port, port 2 is connected to the DSL router. The DSL router is the gateway to the internet.

- SSL VPN global settings: protocol: TCP, override hostname is set to a domain name, Port: 8443, use static IP adresses is active, (every client has a correct "SSL VPN IP address" set), disconnect dead peer after 120 seconds, disconnect idle peer after 360 minutes, key lifetime: 36000 seconds, compress SSL VPN traffic is ON.

- SSL VPN settings: use as default gateway is OFF, permitted network resources is set to the internal LAN on the firewall side, disconnect idle clients is OFF.

This log shows the same user being disconnected quite often in a short time.

None of my time settings corresponds to the times when the client is disconnected. The client itself is not disconnecting manually, of course.

Any idea where this is coming from?



This thread was automatically locked due to age.
Parents
  • Hi,

    I am experiencing the same problem on multiple firewall (Virtual Machine and XGS) updated to the latest SFOS 20.0.0 GA Build 222.

    In my case the SSL VPN server is configured for using port 8443 UDP with compression (AES128-CBC SHA256 with 2048bit key size) and users authenticate against Active Directory.

    Same messages on sslvpn.log:

    [8791] userxxxx/<CLIENT-PUBLIC-IP>:53860 [diegob] Inactivity timeout (--ping-restart), restarting

    [8791] userxxxx/<CLIENT-PUBLIC-IP>:53860 SIGUSR1[soft,ping-restart] received, client-instance restarting

    GARNER: log disconnect event: username=userxxxx

  • Hi Andrea Giacomin 

    Please post the screenshot SSL VPN Global settings 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Bharat!

    This is the SSL VPN Global Setting:

    I just disabled the "Disconnect idle clients" option in the SSL VPN Profilel. I'd like to check if this is a viabile workaround for now.

  • Can we troubleshoot by updating "Assign IPv4 addresses" with the network address 10.251.1.0 instead of IP address and getting any error message in case you Click on Apply ?

    Try with 12hour Key lifetime 43200 seconds   under Cryptographic settings ?

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • I tried several combinations but I did not solve the problem.

    Theres something I don't understand. I changed the IPv4 subnet in the SSL global setting to 10.81.234.0/24, and the SFOS added two tun interface /25:

    43: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast group 0x05 nfmark 0 nfmark6 0 nettype 0 state UNKNOWN group default qlen 1000
        link/none
        inet 10.81.234.1/25 brd 10.81.234.127 scope global tun0
           valid_lft forever preferred_lft forever
        inet6 2001:db8::/65 scope global
           valid_lft forever preferred_lft forever
        inet6 fe80::96d4:17d2:177b:8f07/64 scope link stable-privacy
           valid_lft forever preferred_lft forever
    44: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast group 0x05 nfmark 0 nfmark6 0 nettype 0 state UNKNOWN group default qlen 1000
        link/none
        inet 10.81.234.129/25 brd 10.81.234.255 scope global tun1
           valid_lft forever preferred_lft forever
        inet6 2001:db8:0:0:8000::/65 scope global
           valid_lft forever preferred_lft forever
        inet6 fe80::52c8:815d:a25a:4374/64 scope link stable-privacy
           valid_lft forever preferred_lft forever

    And create two sockets for port 8443:

    netstat -nlp |grep -i ssl
    tcp6       0      0 :::8443                 :::*                    LISTEN      15334/sslvpn
    tcp6       0      0 :::8443                 :::*                    LISTEN      15337/sslvpn
    unix  2      [ ACC ]     STREAM     LISTENING     109915   15337/sslvpn         /tmp/openvpn_mgmt1
    unix  2      [ ACC ]     STREAM     LISTENING     108663   15334/sslvpn         /tmp/openvpn_mgmt0
    

    There is only one SSL VPN profile configured.

Reply
  • I tried several combinations but I did not solve the problem.

    Theres something I don't understand. I changed the IPv4 subnet in the SSL global setting to 10.81.234.0/24, and the SFOS added two tun interface /25:

    43: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast group 0x05 nfmark 0 nfmark6 0 nettype 0 state UNKNOWN group default qlen 1000
        link/none
        inet 10.81.234.1/25 brd 10.81.234.127 scope global tun0
           valid_lft forever preferred_lft forever
        inet6 2001:db8::/65 scope global
           valid_lft forever preferred_lft forever
        inet6 fe80::96d4:17d2:177b:8f07/64 scope link stable-privacy
           valid_lft forever preferred_lft forever
    44: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast group 0x05 nfmark 0 nfmark6 0 nettype 0 state UNKNOWN group default qlen 1000
        link/none
        inet 10.81.234.129/25 brd 10.81.234.255 scope global tun1
           valid_lft forever preferred_lft forever
        inet6 2001:db8:0:0:8000::/65 scope global
           valid_lft forever preferred_lft forever
        inet6 fe80::52c8:815d:a25a:4374/64 scope link stable-privacy
           valid_lft forever preferred_lft forever

    And create two sockets for port 8443:

    netstat -nlp |grep -i ssl
    tcp6       0      0 :::8443                 :::*                    LISTEN      15334/sslvpn
    tcp6       0      0 :::8443                 :::*                    LISTEN      15337/sslvpn
    unix  2      [ ACC ]     STREAM     LISTENING     109915   15337/sslvpn         /tmp/openvpn_mgmt1
    unix  2      [ ACC ]     STREAM     LISTENING     108663   15334/sslvpn         /tmp/openvpn_mgmt0
    

    There is only one SSL VPN profile configured.

Children