Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.

VPN, telephony and other services no longer working

Hello,

Following a reboot of our servers, we are no longer able to access several internal and external services (VPN, telephony, User portal)

I am neither a network expert nor an advanced user of Sophos solutions, but I will gladly provide you with more information if needed.

We have been using Sophos UTM 9 for several years without any problems. However, all of a sudden, here is what I see and can already pass on as information:

  • The User Portal site is no longer accessible externally, but is accessible from the internal network
  • The VPN connection does not work externally anymore, but works from the internal network
  • We can receive calls, but we can't hear the caller and he can't hear us.
  • We have access to the Internet from the internal network, but we can no longer connect or configure certain applications (impossible to connect to the telephony application / impossible to configure certain services, for example, the configuration of an email service on certain workstations, whereas when connected to another network it works).
  • No modification of the firewall has been done in the last months. We are updating it, but the configuration has remained the same.

I have tried to restart Sophos UTM several times with no results. The first few minutes everything works normally, then the telephony does not work anymore and the User Portal is inaccessible again. In the past, we have used the infrastructure several times without any problems.

All these problems are very sudden. I am aware that it is difficult for you to help me with this information, but I will gladly provide you with additional information if needed.

I think the reasons could be many things but I can't find any particular error in the UTM logs to help me correct the situation. If you have an idea of a problem that could make us suddenly face these issues I would be very grateful.

At your disposal,
Thanks in advance

FYI > VPN Client log :

  • Are you sure this isn't some DNS issue?  Everything internally is accessible, but not external.  Have you tried to reach the User Portal via IP address, or your VPN connection via IP instead of DNS name?

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Thank you for your question. Yes, the User Portal is not accessible even by the IP directly

  • What is your UTM version currently?

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Might be a silly question, did you check to see if the User Portal was disabled?  Under Management section.  Is this a UTM hardware appliance, or software on your own device?

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Yes, The user portal is enabled and the UTM solution is installed on a server..

  • We have access to the Internet from the internal network, but we can no longer connect or configure certain applications (impossible to connect to the telephony application / impossible to configure certain services, for example, the configuration of an email service on certain workstations, whereas when connected to another network it works).

    Are these services all internally hosted, or externally? Are they accessed via WAF?

    Did you check your Firewall log to see if anything is being denied?

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Hi

    A couple of possibilities:

    1. Has your license expired? Features stop working if you are not licensed.
    2. If you have the Sophos UTM installed as a VM, Have you checked your Virtual Switch etc.
  • Service are all hosted externally and I guess it goes through the firewall.

    From web admin, I can find many log files, but the firewall log file seems to log the transient data (~2Go). By denied access log file, do you mean the IPS logs file ?

    The IPS is logging some info log with flood datas, example below :

    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos="0x08" prec="0x20" ttl="247" srcport="443" dstport="54682"
    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos="0x08" prec="0x20" ttl="247" srcport="443" dstport="54682"
    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos="0x08" prec="0x20" ttl="247" srcport="443" dstport="54682"
    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos


    Thanks for your help

  • Hello,

    Thanks for your question,


    Licence is active and sophos UTM is installed as a VM. What do you mean by checking my virtual switch ?