SFOS v19 improves supported SSLVPN concurrent tunnels by 4-5x.
As a result, there is a change in the configuration of SSLVPN IPv4 lease range. SFOS v19 uses IP subnet value, however, earlier versions used IP range and subnet.
Migration will convert the IP range and subnet config from old versions to subnet value in v19.
SSLVPN Global config:
On upgrading to SFOS v19, some users may notice that SSL VPN is connecting but resources are not accessible over SSLVPN for the following conditions:
As v19 changes the limited IPv4 lease range to the larger subnet, users who have got the IP addresses outside the limited range will be restricted by Firewall rule to access the resources.
Update the IP host object of limited range to a;sp include the new IP range (subnet).
Alternatively, you can start using system host available for SSLVPN IPv4 lease ##ALL_SSLVPN_RW.
More details on How to configure remote access SSL VPN with Sophos Connect client.
Yes, it's getting updated as we speak.
how can changing DHCP scope from range to mask only improve SSL VPN performance??
Alok said: Migration will convert the IP range and subnet config from old versions to subnet value in v19.
you write, it will migrate based range AND subnet
what will happen to a V18 DHCP Server with lets say 192.168.1.5-192.168.1.10 Mask 255.255.255.224 (/27)
it could be 192.168.1.0/28
Why is this not mentioned in Release notes?? https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.0
It's not mentioned that Range has been removed. There is only written that something has been added.
Prior to v19 also we use to take subnet mask as input along with IP lease range, which will be used during migration. We are not going to convert range into subnet during migration.
thank you for that extra screenshot. do you think, it would be helpful to add this to release notes?
Why is it that /24 is the smallest network that this supports now? I actually need to insure that my clients do not exceed the /27 on assignment as they are accessing a network that restricts us to that /27.
Just to provide more context around why we brought this changes in, from v19 to improve scale and performance we have made SSLVPN multi-instance up to 8 depends upon no of CPUs. With this changes each instance will create “tun” interface and it will require individual subnet to handle traffic distribution and routing internally. To avoid the user input complexity we do slicing of subnet internally from the configured IP value.
In case if you have 192.168.0.0/27 configured in v18.5 and migrates to 8 instance config in v19, it won’t have much usable hosts as below:
Hope this helps.
so in this scenario you'll lose up to 50% of the available IPs, and when you count them in the DHCP leases on XG, you'll find yourself with 16 IPs leased while you configured a range with 32 IPs.
Sound's like a nightmare to debug.
where is that doc change you were mentioning above? I could not find it in the interactive release notes today.
We are talking about "smallest" Network. If you are concern about the range, you can pump this value up to higher values without no problem. And DHCP works not like that in SSLVPN. Essentially SSLVPN works with Pools, you can see here. Not with DHCP Lease Ranges. See Documentation of OpenVPN.
After updating to version 19, VPN users are not able to resolve internal host names. Do we need to make any configuration changes?
I know work around is updating DNS server under Global VPN setting to our Onsite DNS server but before upgrading to version 19, DNS server for vpn users was IP of SSL VPN Server and it stopped resolving hostnames after update.
can you check if SSLVPN server IP is used on tun interface or not in CLI by running "ifconfig"? and which IP was used for SSLVPN server in your setup??