Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: SSL VPN "IPv4 lease range" changes OR global settings update gives error "You must enter a network IP address." in SFOS v19.

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read reviews recent changes made in SFOS v19 related to SSL VPN IPv4.

What is the change in SFOS v19 related to the SSL VPN IPv4 lease? 

SFOS v19 improves supported SSLVPN concurrent tunnels by 4-5x. 

As a result, there’s a change in the configuration of SSL VPN IPv4 lease range. SFOS v19 uses IP subnet value; however, earlier versions used IP range and subnet. 

 Migration will convert the IP range and subnet config from old versions to subnet values in v19. 

 SSLVPN Global config: 

Admin has to update IP lease range from IP address to subnet once after migration to avoid errors like "You must enter a network IP address." on global settings update.

Does the change impact me? What issue may I face? 

On upgrading to SFOS v19, some users may notice that SSL VPN is connecting, but resources aren’t accessible over SSLVPN for the following conditions: 

  • If you’re using SSL VPN before the v19 version and 
  • If you have allowed access of SSLVPN users using IP host object of limited range (same as SSLVPN global settings) in the firewall rule. 

As v19 changes the limited IPv4 lease range to the larger subnet, users with IP addresses outside the limited range will be restricted by Firewall rules to access the resources. 

How do we resolve this issue? 

Update the IP host object of limited range to include the new IP range (subnet). 

Alternatively, you can use the system host available for SSLVPN IPv4 lease ##ALL_SSLVPN_RW. 

More details on Configure IPsec remote access VPN with Sophos Connect client




Updated links to latest
[edited by: Raphael Alganes at 2:23 PM (GMT -8) on 19 Nov 2024]
Parents
  • I had this exact situation - where after the V19 upgrade, there were sporadic issues where Sophos Connect (using SSL VPN) would connect but not route traffic properly. The root cause was definitely due to the client endpoint range being converted IMPROPERLY from a range to a CIDR.

    Definitely ensure that post V19 upgrade you change the SSL VPN ip address pool from a range to a network... CONFIGURE > Remote access VPN, then click the SSL VPN tab, then click the "SSL VPN global settings" link in the upper left. In the "Assign IPv4 addresses" section, be sure the address space is showing in proper CIDR network notation. For me post upgrade, it showed 10.81.234.20/24. I had to change it to 10.81.234.0/24. After which, users needed to manually disconnect/reconnect, and then the problem was completely resolved. Also be sure any firewall rules you have reference the whole network and not a range - that was also a problem for me to correct.

    I think this is something that could have been handled during the upgrade automatically with a user prompt or something.

Reply
  • I had this exact situation - where after the V19 upgrade, there were sporadic issues where Sophos Connect (using SSL VPN) would connect but not route traffic properly. The root cause was definitely due to the client endpoint range being converted IMPROPERLY from a range to a CIDR.

    Definitely ensure that post V19 upgrade you change the SSL VPN ip address pool from a range to a network... CONFIGURE > Remote access VPN, then click the SSL VPN tab, then click the "SSL VPN global settings" link in the upper left. In the "Assign IPv4 addresses" section, be sure the address space is showing in proper CIDR network notation. For me post upgrade, it showed 10.81.234.20/24. I had to change it to 10.81.234.0/24. After which, users needed to manually disconnect/reconnect, and then the problem was completely resolved. Also be sure any firewall rules you have reference the whole network and not a range - that was also a problem for me to correct.

    I think this is something that could have been handled during the upgrade automatically with a user prompt or something.

Children
  • Hi Tony,

    I had similar issue but mine was resolved by changing the SSLVPN range on the VPN rule.
    But I am curious about your statement about having to change the last octet from .20 to .0
    Both addresses in a /24 subnet will result in a .1 thru .254 address range with a network address of .0 and broadcast of .255
    So I don't see how changing that resolved your issue.  Did you also change the SSLVPN range on your VPN rule at the same time and that was possibly the answer?

  • This suggestion worked for me. In our case, our Assign IPv4 addresses were something.something.something.5 /24 and when I changed it to something.something.something.0 /24 I was able to get past that incessant "You must enter a network IP address" error.

    Thank you!

    This really should be fixed so that the error message is more meaningful.