Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 1310 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Packets dropped due to no heartbeat

Stuart James

We have remote users to connect to a Sophos SSLVPN. We then create the following filewall rule between them and the servers to ensure that they have Sophos AV installed and that there are no issues on either side. Unfortunately, when we do this, no-one can connect even though both sides are green with all ticks. A packet capture shows that that the source is missing a heartbeat. Thus, turning off the tickbox highlighted in red solves the issue.


We put in a rule directly above this one to allow source: ANY destination: ANY services: 8347 and 53 but that doesn't seem to have made any difference.

Note: the SSLVPN is a split tunnel but it sets the primary and secondary DNS to our servers - hence the inclusion of port 53 above in the first rule.

Any ideas here?



This thread was automatically locked due to age.
Parents
  • +1

    You also need to allow the heartbeat traffic over the VPN. 

    In your profile(s) also add: 52.5.76.173/255.255.255.255 to travel over the VPN. This is the heartbeat IP-address. And of course your VPN-clients should also be able to reach that IP over the WAN, so if necessary also create/adjust firewall rule for that.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • +1

    You also need to allow the heartbeat traffic over the VPN. 

    In your profile(s) also add: 52.5.76.173/255.255.255.255 to travel over the VPN. This is the heartbeat IP-address. And of course your VPN-clients should also be able to reach that IP over the WAN, so if necessary also create/adjust firewall rule for that.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
Unfiltered HTML