Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

SSL VPN Route Issues to VPN Clients Firmware 20.0.2 MR2, and Version 21

This problem is occurring on Sophos Firmware 20.0.2 MR-2-Build378 as well as SFOS 21.0.0 GA-Build169. The problem also occurs on an XG with a firmware of 20.0.2 MR-2. 

Route Precedense has been set the following ways: static vpn sdwan | vpn static sdwan. It does not change the behavior. 

When assigning Static IPS to an SSL VPN Connection for a remote User, the user is able to connect and access all network resources. We are unable to access any user in the static assigned area. Upon running traceroute from a local network resource to the VPN Client when it connects to via a dynamically assigned IP address the first HOP is the firewall followed by the second HOP being the VPN Client. When the client is in the static assigned address pool provided by the Global VPN settings the First Hop is the Firewall followed by the second HOP being the ISP Gateway; and then of course timeouts after that as it is not providing the correct route.

When in Static area:

When in Dynamic Portion of Pool:

As you can see the VPN service is not routing this correctly. Does anyone have a solution?

Update: As someone asked about a packet capture; packetcapture shows that when routing to a non static IP from SSL Global settings it goes out tun0, when routing to one that is assigned a static from the address range specified and reserved in the Global SSL settings for using static it is trying to route out Port A.



Edited TAGs
[edited by: Erick Jan at 12:29 AM (GMT -8) on 24 Dec 2024]
Parents
  • The packet capture indicates that when the IP address is coming from the non-reserved allocation for the SSLVPN client; It uses Tun0 or Tun1 to route to the Client as it should. When It is statically assigned from the pool that is reserved under global settings it tries to go out Port A. This is very easily replicable; I have done this on an XG, an XGS, and a Virtual Appliance  with the firmware's listed. The SSLVPN client does get assigned the IP address and can route to all internal resources and even go through an IPSEC tunnel to another resource; it is just not reachable from the network. 

Reply
  • The packet capture indicates that when the IP address is coming from the non-reserved allocation for the SSLVPN client; It uses Tun0 or Tun1 to route to the Client as it should. When It is statically assigned from the pool that is reserved under global settings it tries to go out Port A. This is very easily replicable; I have done this on an XG, an XGS, and a Virtual Appliance  with the firmware's listed. The SSLVPN client does get assigned the IP address and can route to all internal resources and even go through an IPSEC tunnel to another resource; it is just not reachable from the network. 

Children
No Data