Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 843 views
  • Users 0 members are here
Options
Suggested

SSL VPN (TCP) Static IP Address issues

Hugh D

Hello,

I am experiencing the issues listed in NC-120119 when I am using TCP mode for my SSL VPNs.

I have a select number of users who I required to get a static IP address, however when they are connected, if they change network type and it tries to reconnect, I get the auth error described in NC-120119.

All the symptoms I have are consistent with NC-120119, except I am not using UDP, I am definitely on TCP.

Is this a further known issue?

Thanks.

SFOS 20.0.0 GA-Build222



Edited TAGs
[edited by: Erick Jan at 11:55 PM (GMT -7) on 5 Jun 2024]
  • 0

    Hi,

    Thank you for reaching out to Sophos Community.

    I haven’t found any recent cases in your registered community email. Can you share the case ID? I recommend contacting Support and creating an ID to check this further if there's none. Also, kindly share the case ID

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0

    Hi  , NC-120119 issue is seen only if the sslvpn ra tunnel mode is of UDP and not applicable to sslvpn tunnel mode of TCP. 

    There was another NC-124684, where static address is not released sporiadically (when login fails for a sslvpn user) which is fixed in 20.0 MR1.

    If you observe the issue on 20.0 MR1 Can you DM  me the access-id of the XG/XGS to check the logs further.

  • 0 in reply to vamshi d

    Hi Vamshi, 

    In this case the device connects successfully on one connection type (WiFi) but when switching to cellular the session would remain connected in the firewall, but would result in an "Auth failed" error.

    The device was then disconnected from the VPN and a force disconnection was done from the current activities list (as the device was still present, despite being disconnected). Only then when a new session was established that the connection was successful. These symptoms are very similar to NC-120119 even though we are using TCP-only in our setup.

    Will observe to see if 20.0 MR1 will be an improvement. It still hasn't shown up as an update in our firewall for the moment

    Edit: Support case number is 07386682  

    Edit 2: Mixed up my issue description, fixed that now

  • 0 in reply to Edward O

    Hi Edward,

    Thank you for sharing the case ID. We've left a note and will monitor the case further. 

    Also, as requested by Vamshi D, kindly share your access ID with him.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • +1

    Hi  , This is a known limitation that on n/w switch (even with TCP) there is no mechanism that conveys this to SFOS and connection will remain Up on SFOS and immediate client reconnect will result in AUTH_FAIL as the assigned static ip to the RA client is still in use in SFOS' context; this happens until ‘disconnect dead peer’ kicks in ( on SFOS this can be set to 60 seconds minimum), post this timer, connection is removed by SFOS and RA client can re-connect successfully. Please set the config on SFOS: from Remote access VPN - SSLVPN - SSLVPN global settings - Disconnect dead peer after: set this timer as per the acceptable value. 

Unfiltered HTML