Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect 2.3 with disabled IPv6 component

- upgraded our Windows Connect Clients from 2.2.9 to 2.3
- when now connecting with SSL VPN:

The client is connected (all is working) but the state in Sophos Connect will not switch to connected and stays in "is connecting"... -> not possible to disconnect anymore.

Client Log:

(...)
2024-05-17 09:32:30 add_route_ipv6(::/1 -> 2001:db8:: metric -1) IF 4
2024-05-17 09:32:30 ERROR: route addition failed using service: Element nicht gefunden. [status=1168 if_index=4]
2024-05-17 09:32:30 add_route_ipv6(8000::/1 -> 2001:db8:: metric -1) IF 4
2024-05-17 09:32:30 ERROR: route addition failed using service: Element nicht gefunden. [status=1168 if_index=4]
2024-05-17 09:32:30 add_route_ipv6(::/3 -> 2001:db8:: metric -1) IF 4
2024-05-17 09:32:30 ERROR: route addition failed using service: Element nicht gefunden. [status=1168 if_index=4]
2024-05-17 09:32:30 add_route_ipv6(2000::/4 -> 2001:db8:: metric -1) IF 4
2024-05-17 09:32:30 ERROR: route addition failed using service: Element nicht gefunden. [status=1168 if_index=4]
2024-05-17 09:32:30 add_route_ipv6(3000::/4 -> 2001:db8:: metric -1) IF 4
2024-05-17 09:32:30 ERROR: route addition failed using service: Element nicht gefunden. [status=1168 if_index=4]
2024-05-17 09:32:30 add_route_ipv6(fc00::/7 -> 2001:db8:: metric -1) IF 4
2024-05-17 09:32:30 ERROR: route addition failed using service: Element nicht gefunden. [status=1168 if_index=4]
2024-05-17 09:32:30 Initialization Sequence Completed
2024-05-17 09:32:30 MANAGEMENT: >STATE:1715931150,CONNECTED,ROUTE_ERROR,192.168.50.6,[SSL VPN Gateway IP],443,,,2001:db8::5

- we have the problem on ANY our clients



This thread was automatically locked due to age.
Parents Reply Children
  • I could reproduce the issue and found the reason. On the computer the IPv6 component was disabled via the following registry key:

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisabledComponents -> 255 (Hex FF)

    Seems the 2.3 client is not (anymore) compatible with disabled IPv6 component on Windows.

  • So i have IPv6 disabled with the checkbox in Windows itself:

    I assume you used the registry for management reasons?

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows

    This issue comes up, as you disabled IPv6 also for the TAP Interface.

    So could you try the: "Disable IPv6 on all nontunnel interfaces" option instead? This should leave IPv6 enabled on the tap interface and get you the same outcome.

    __________________________________________________________________________________________________________________

  • The checkbox does not the same (IPv6 is still enabled). For "real" disable v6 stack in Windows you have to use the registry.
    Also the checkbox has no impact on connect (but only tested the non-vpn interfaces) -> still working in 2.3, so no problem.

    From my side it is no problem anymore. We disabled v6 because of some DNS issues with dual-stack in the past, we enabled the v6 stack again (no need to disabled it anymore) and it is also working with 2.3 now.

    Maybe some other customers also use the registry to complete disable the v6 stack in Windows. But it's up to Sophos to fix this.

  • yep, exactly. Microsoft also tells you to use the registry key...

    thanks for clarifying, we are using the key, too. So we could get problems. Is there an ID for it and can you subscribe us to it?

  • If you have complete disabled the v6 stack, you WILL get the problem we had. The DEV-team is working on it -> ID is 07358965

    As  mentioned you can also try set the registry key to (not tested with 2.3):

    Disable IPv6 on all nontunnel interfaces Decimal 16
    Hexadecimal 0x10
    Binary xxx1 xxxx