Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't contact local DNS from SSL VPN (with 2 WAN)

Hello,

I'm not an expert (for the moment) on Sophos.

For a customer that has an XG Firewall, he asked to configure a SSL VPN connection.
As I already done this some years ago on a privous Sophos Router, it should be possible ;-)

But the LAN/WAN was not the same.

Here, I have 1 LAN port and a VLAN interface (for Guests WIFI) on Port1

And 2 WAN connection on Port3 (4G Mobile router) and Port4 (a very old and slow ADSL router).

We have working :
- WIFI guests is routed to internet throw the slow ADSL
- LAN is routed to internet throw the 4G mobile link
It's done by a SD-WAN profile with the 2 WAN interfaces selected (and standard SLA for best ping response time).
But there is also 2 SD-WAN routes :
- 1 from LAN to WAN with 4G as primary gateway and ADSL as secondary gateway
- 1 from WIFI to WAN with only ADSL as primary gateway

When connected to a LAN server, we have checked and it's the 4G mobile that is used.

Also working is the newly created SSL VPN connection. For remote access, we connect only throw the 4G mobile link (25-30Mbps).
We have access to LAN and also to internet (it's not a split tunnel)

But when, during a SSL VPN session, we tried to access internet, we have seen that it's not the 4G link that's used, but the very slow (less than 1Mbps) ADSL link.

I supposed it's because the SD-WAN profile selected the ADSL as the "best" connection .

So we have added a new SD-WAN (from VPN to WAN, to specify 4G modem as primary gateway and ADSL as secondary gateway.

But, now, from a SSL VPN session, we don't have access anymore to the local DNS server hosted on a Windows server.
Neither ping nor nslookup are working.

Someone has an idea ?



This thread was automatically locked due to age.
Parents
  • Hello,

    Thank you for contacting Sophos Community!

    Could you make sure that the route precedence set to Static, VPN, SDWAN? You can validate it from Configure -> Routing -> SD-WAN Routes.

    If it is not set as above, kindly login to the CLI and change the route precedence with the command as below:

    console>system route_precedence set static vpn sdwan_policyroute

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • Checked just now :
    Current precedence for routing: SD-WAN route, VPN route, Static route.

    So we have to define "VPN route" first and "SD-WAN route" in 2nd position.

    But a new challenge is in front of us, accessing to CLI need the "admin" password, that was set a few years ago by the previous IT Manager which didn't let a lot of things to our customer !!!
    So sad, that Sophos can't allow SSH connection for all Administrator users !

Reply
  • Checked just now :
    Current precedence for routing: SD-WAN route, VPN route, Static route.

    So we have to define "VPN route" first and "SD-WAN route" in 2nd position.

    But a new challenge is in front of us, accessing to CLI need the "admin" password, that was set a few years ago by the previous IT Manager which didn't let a lot of things to our customer !!!
    So sad, that Sophos can't allow SSH connection for all Administrator users !

Children