Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

SSL VPN Route Issues to VPN Clients Firmware 20.0.2 MR2, and Version 21

This problem is occurring on Sophos Firmware 20.0.2 MR-2-Build378 as well as SFOS 21.0.0 GA-Build169. The problem also occurs on an XG with a firmware of 20.0.2 MR-2. 

Route Precedense has been set the following ways: static vpn sdwan | vpn static sdwan. It does not change the behavior. 

When assigning Static IPS to an SSL VPN Connection for a remote User, the user is able to connect and access all network resources. We are unable to access any user in the static assigned area. Upon running traceroute from a local network resource to the VPN Client when it connects to via a dynamically assigned IP address the first HOP is the firewall followed by the second HOP being the VPN Client. When the client is in the static assigned address pool provided by the Global VPN settings the First Hop is the Firewall followed by the second HOP being the ISP Gateway; and then of course timeouts after that as it is not providing the correct route.

When in Static area:

When in Dynamic Portion of Pool:

As you can see the VPN service is not routing this correctly. Does anyone have a solution?



a
[edited by: Cameron Savage1 at 9:30 PM (GMT -8) on 22 Dec 2024]
Parents
  • I wouldn't even need to try to resolve this at this time if the XGS 2300 assigned Ips the same way that the XG 230 does from the vpn pool... on the XG it starts at .2 and goes .3 etc; on the XGS it assigns .2 then maybe .130 then maybe .60 then maybe .4 etc. This is an issue because currently one of my IPSec tunnels to an outside resource only allows for a /27 so the first 29 ips of a class C. (Class C being the smallest you can set the IP pool size to since firmware 19.x)

Reply
  • I wouldn't even need to try to resolve this at this time if the XGS 2300 assigned Ips the same way that the XG 230 does from the vpn pool... on the XG it starts at .2 and goes .3 etc; on the XGS it assigns .2 then maybe .130 then maybe .60 then maybe .4 etc. This is an issue because currently one of my IPSec tunnels to an outside resource only allows for a /27 so the first 29 ips of a class C. (Class C being the smallest you can set the IP pool size to since firmware 19.x)

Children
No Data