Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2298 views
  • Users 0 members are here
Options
Suggested

Unidentified Network - Kerberus Auth Problem only with SSL and without NETBIOS

Steve Reschke

Hello

we are disbled NETBIOS / WINS for our Domain Network on client side. Since we did this we have problems to authentificate on our domaincontroller through VPN SSL. With VPN IPSsec all is fine. Also in LAN all is fine. Both, SSL and IPSec using the same firewall rules. With NETBIOS enable authentification with SSL works fine. Domaincontroller gets Kerberos ticket also with SSL. We tried with several machines with same result.

Sophos TAP adapter has lowest interface metrik from all adapters (2) .

Any ideas why this happens?

Please see also attached pictures.

Thanks a lot for helping

IPSec:

SSL:





This thread was automatically locked due to age.
[entsperrt von: LuCar Toni um 9:00 AM (GMT -7) am 25 Sep 2024]
Parents
  • 0

    After research my problem related with OpenVPN I added a route on my test machine.

    • route -p add 0.0.0.0 mask 0.0.0.0 192.168.0.1 metric 50 if 25

    More than 10 test connections I have a domain authenticatied connection every time. Is there any possibility to depict this in our firewall? To touch every VPN Client in out network is not a good option.

    Link of (maybe) solution

  • 0 in reply to Steve Reschke

    We are now spending some time to recreate this issue, but no success from our end. 

    One thing, which i found a little bit odd in this setup is: You are using the same networks in your office and at home.

    Most of the times, this is something, an Admin wants to avoid. 
    Using the classic "192.168.0.0/24, 192.168.1.0/24" could be tricky, as it confused VPN Clients. (One of the reasons AVM moved to 192.168.178.0/24). 

    Any reason, you choose to do this? Could you, to double check, change the network of either one and see, if it still happening? 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Steve Reschke

    We are now spending some time to recreate this issue, but no success from our end. 

    One thing, which i found a little bit odd in this setup is: You are using the same networks in your office and at home.

    Most of the times, this is something, an Admin wants to avoid. 
    Using the classic "192.168.0.0/24, 192.168.1.0/24" could be tricky, as it confused VPN Clients. (One of the reasons AVM moved to 192.168.178.0/24). 

    Any reason, you choose to do this? Could you, to double check, change the network of either one and see, if it still happening? 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Sorry, the system auto blocks Threads after some months of inactivity - Sophos Mods can still reply to those. Did not notice, it was blocked. 
    Unblocked it. 

    One more thought here: 
    Looking into this, do we have a tcpdump from the client with SSL based on DNS? From both interfaces (TAP and ethernet) at the same time? 
    Do you see any kind of DNS requests for your domain, on the ethernet, and not the TAP Adapter? 

    __________________________________________________________________________________________________________________

Unfiltered HTML