Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: SSL VPN "IPv4 lease range" changes OR global settings update gives error "You must enter a network IP address." in SFOS v19.

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read reviews recent changes made in SFOS v19 related to SSL VPN IPv4.

What is the change in SFOS v19 related to the SSL VPN IPv4 lease? 

SFOS v19 improves supported SSLVPN concurrent tunnels by 4-5x. 

As a result, there’s a change in the configuration of SSL VPN IPv4 lease range. SFOS v19 uses IP subnet value; however, earlier versions used IP range and subnet. 

 Migration will convert the IP range and subnet config from old versions to subnet values in v19. 

 SSLVPN Global config: 

Admin has to update IP lease range from IP address to subnet once after migration to avoid errors like "You must enter a network IP address." on global settings update.

Does the change impact me? What issue may I face? 

On upgrading to SFOS v19, some users may notice that SSL VPN is connecting, but resources aren’t accessible over SSLVPN for the following conditions: 

  • If you’re using SSL VPN before the v19 version and 
  • If you have allowed access of SSLVPN users using IP host object of limited range (same as SSLVPN global settings) in the firewall rule. 

As v19 changes the limited IPv4 lease range to the larger subnet, users with IP addresses outside the limited range will be restricted by Firewall rules to access the resources. 

How do we resolve this issue? 

Update the IP host object of limited range to include the new IP range (subnet). 

Alternatively, you can use the system host available for SSLVPN IPv4 lease ##ALL_SSLVPN_RW. 

More details on Configure IPsec remote access VPN with Sophos Connect client




Revamped RR Added Overview, Horizontal Lines Updated Links Corrected Grammar
[edited by: Erick Jan at 10:04 AM (GMT -7) on 27 Sep 2023]
  • I had this exact situation - where after the V19 upgrade, there were sporadic issues where Sophos Connect (using SSL VPN) would connect but not route traffic properly. The root cause was definitely due to the client endpoint range being converted IMPROPERLY from a range to a CIDR.

    Definitely ensure that post V19 upgrade you change the SSL VPN ip address pool from a range to a network... CONFIGURE > Remote access VPN, then click the SSL VPN tab, then click the "SSL VPN global settings" link in the upper left. In the "Assign IPv4 addresses" section, be sure the address space is showing in proper CIDR network notation. For me post upgrade, it showed 10.81.234.20/24. I had to change it to 10.81.234.0/24. After which, users needed to manually disconnect/reconnect, and then the problem was completely resolved. Also be sure any firewall rules you have reference the whole network and not a range - that was also a problem for me to correct.

    I think this is something that could have been handled during the upgrade automatically with a user prompt or something.

  • Hi Gurtej,

    We tried this internally and its working fine. We tried in multi-instance setup following is working, despite user landing on any instance. 

    a. DNS IP used was tun0 interface IP 

    b. DNS IP used was tun1 interface IP 

    c. DNS IP used was LAN interface IP 

    Please check "drop pkt", local ACL, permitted network settings. 

    In case still it's failing please raise support case.

    -Alok

  • Hi Tony,

    I had similar issue but mine was resolved by changing the SSLVPN range on the VPN rule.
    But I am curious about your statement about having to change the last octet from .20 to .0
    Both addresses in a /24 subnet will result in a .1 thru .254 address range with a network address of .0 and broadcast of .255
    So I don't see how changing that resolved your issue.  Did you also change the SSLVPN range on your VPN rule at the same time and that was possibly the answer?

  • But in my case the "System Host" shows Address Details as NA and it doesn't allow to edit it too. So is there another way of editing these records?

  • Hi Mayuresh, System hosts are non-editable. But when you will update the IP lease range on SSLVPN global configuration page, it will be automatically updated to accommodate same.

  • It didn't allow us to save any changes to the IP or the lease. Nevermind, I got up with support and the agent enabled remote support and changed something from the background to resolve this.

  • When you update IP lease range it will automatically update system host value internally, no need to manually update for system hosts.


    Thanks for the update. 

  • I agree and understand, however, I showcased this to support team too that if I try changing the value for "Assign IPv4 address" and then click save, it used to throw the error "You must enter a network IP address". Only once the support team made changes from the backend were we able to save the changes.

  • This suggestion worked for me. In our case, our Assign IPv4 addresses were something.something.something.5 /24 and when I changed it to something.something.something.0 /24 I was able to get past that incessant "You must enter a network IP address" error.

    Thank you!

    This really should be fixed so that the error message is more meaningful.