Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 3 answers
  • Subscribers 37 subscribers
  • Views 31809 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client Authentication Agent

Jon Eyre

Hi

Sophos XG 105 with latest firmware.

We do remote support to customers via vpn.

 

I have my laptop connected to the LAN with the CAA connected. I can see the internet.

I then connect a vpn to a customer and open an RDP session to a machine.

About 10 seconds later the CAA disconnects the RDP session, disconnects me from the internet. The vpn connection is still connected but i can't get to it.

 

Is there a setting somewhere that will stop this behavior, we need the vpn's to work properly.

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Jon,

    CAA uses a technology called "ping pong" in order that CAA continuosly ping XG IP (1.2.3.4 on port 9922). Once you get connected on VPN, all traffic will go through the tunnel so even 1.2.3.4 and so you are not connected anymore.

    If you are using a split tunnel, where only certain traffic goes through the tunnel, then your 1.2.3.4 will still go to XG lan interface and you keep the CAA connected.

    Most of the time, VPN are full tunnel (which makes sense, because all traffic goes through the tunnel and this is more secure).

    Regards

Reply
  • 0

    Jon,

    CAA uses a technology called "ping pong" in order that CAA continuosly ping XG IP (1.2.3.4 on port 9922). Once you get connected on VPN, all traffic will go through the tunnel so even 1.2.3.4 and so you are not connected anymore.

    If you are using a split tunnel, where only certain traffic goes through the tunnel, then your 1.2.3.4 will still go to XG lan interface and you keep the CAA connected.

    Most of the time, VPN are full tunnel (which makes sense, because all traffic goes through the tunnel and this is more secure).

    Regards

Children
  • 0 in reply to lferrara

    Hi Luk

    So in other words the sophos firewall is totally useless to me.

    Requirements:

    Monitor users

    use vpn connections

     

    According to you the two will not work together. That is a major problem

     

    What is the solution? Have Sophos not thought of this scenario??

    "Getting more and more frustrated with the Sophos XG firewall"

  • 0 in reply to Jon Eyre

    John,

    this is not a bug or a issue. Disabling "use default gateway on the SSL Remote Access" is the key to keep the CAA running and contacting your XG.

    This is routing issue and not a product issue.

    Regards

  • 0 in reply to lferrara

    Luk

    Not using Sophos SSL VPN. I said at the start the pc is on the lan.

    Vpn connections are to other companies from the pc on the lan

    "Getting more and more frustrated with the Sophos XG firewall"

  • 0 in reply to Jon Eyre

    Jon,

    if the other end is an XG you can ask them to disable "use gateway". If the other end is not an XG you need to ask for a split VPN. This is not an issue with your XG. It is a routing issue, because all traffic is sent through the tunnel (even the famous 1.2.3.4).

    You can try to add a static route on your pc saying traffic that goes to 1.2.3.4, please sent to my XG internal IP.

    Regards

  • 0 in reply to lferrara

    Hi Luk

    Would Clientless work?

    Can't add the route in my laptop, use lots of different places for internet.

    I understand what you are saying about routing but surely i am not the first person to have this issue

    "Getting more and more frustrated with the Sophos XG firewall"

  • +1 in reply to Jon Eyre

    Jon,

    the only way to get CAA is to create a route on your Computer.

    You can use Clientless, but take note that the Username must be created on the XG (you cannot use external Authentication integration like CAA) and Clientless binds Username to IP.

    Regards

Unfiltered HTML