Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 3791 views
  • Users 0 members are here
Options
Suggested

Unidentified Network - Kerberus Auth Problem only with SSL and without NETBIOS

Steve Reschke

Hello

we are disbled NETBIOS / WINS for our Domain Network on client side. Since we did this we have problems to authentificate on our domaincontroller through VPN SSL. With VPN IPSsec all is fine. Also in LAN all is fine. Both, SSL and IPSec using the same firewall rules. With NETBIOS enable authentification with SSL works fine. Domaincontroller gets Kerberos ticket also with SSL. We tried with several machines with same result.

Sophos TAP adapter has lowest interface metrik from all adapters (2) .

Any ideas why this happens?

Please see also attached pictures.

Thanks a lot for helping

IPSec:

SSL:





This thread was automatically locked due to age.
[entsperrt von: LuCar Toni um 9:00 AM (GMT -7) am 25 Sep 2024]
Parents Reply Children
  • 0 in reply to Steve Reschke

    We are now spending some time to recreate this issue, but no success from our end. 

    One thing, which i found a little bit odd in this setup is: You are using the same networks in your office and at home.

    Most of the times, this is something, an Admin wants to avoid. 
    Using the classic "192.168.0.0/24, 192.168.1.0/24" could be tricky, as it confused VPN Clients. (One of the reasons AVM moved to 192.168.178.0/24). 

    Any reason, you choose to do this? Could you, to double check, change the network of either one and see, if it still happening? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Sorry, the system auto blocks Threads after some months of inactivity - Sophos Mods can still reply to those. Did not notice, it was blocked. 
    Unblocked it. 

    One more thought here: 
    Looking into this, do we have a tcpdump from the client with SSL based on DNS? From both interfaces (TAP and ethernet) at the same time? 
    Do you see any kind of DNS requests for your domain, on the ethernet, and not the TAP Adapter? 

    __________________________________________________________________________________________________________________

  • 0 in reply to Steve Reschke

    Newest Information fron Sophos Global Support. Further informations coming.

    We successfully replicated the issue in our lab environment. Here are the details:

    1. Client Machine in Same Network as Private Resources:
      • Network Configuration:
        • Office and home networks belong to the same range.
      • With SSL VPN and NetBIOS Enabled:
        • The Sophos TAP adapter is recognized as part of the Domain Network.
      • With SSL VPN and NetBIOS Disabled:
        • The Sophos TAP adapter is labeled as “Unidentified Network.”
    2. Client Machine in Different Network from Private Resources:
      • Network Configuration:
        • Office and home networks belong to different ranges.
      • With SSL VPN and NetBIOS Enabled:
        • The Sophos TAP adapter is recognized as part of the Domain Network.
      • With SSL VPN and NetBIOS Disabled:
        • The Sophos TAP adapter is labeled as “Unidentified Network.”

    Conclusion: This appears to be an issue related to the OpenVPN TAP adapter utilized by Sophos Connect.




Unfiltered HTML