Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 2 subscribers
  • Views 3769 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL-VPN + using Hostname for SSLVPN Routes = clients disconnecting every few minutes.

zzzp8

Hi there

 

I am wanting to force certain traffic for FQDN's, to go over the SSLVPN, and the rest of it can go out a clients 0.0.0.0/0 route to the internet.

 

The endpoint I want to route for, is an AWS CLI IP address at eu-west-1.queue.amazonaws.com .. This is the endpoint for the AWS CLI.

 

I am able to do so successfully by setting up a Hostname in the Local Networks section of the SSLVPN Profile.

 

However the issue is, once that Hostname subnet is setup in the SSLVPN profile, every couple of minutes it disconnects VPN users. I assume this is because the Sophos is doing a DNS lookup, and then trying to push out the new IP of the Hostname to the SSLVPN clients. 

 

So technically I am able to route traffic over the SSLVPN using the eu-west-1.queue.amazonaws.com endpoint, but because I am using a FQDN and not a IP address, every few minutes it disconnects users.

 

If I remove the Hostname/FQDN from the Local Networks of the SSLVPN profile, users connect and remain connected as per normal.

 

Is there a way to stop this behaviour so that I am able to route traffic to eu-west-1.queue.amazonaws.com , accross the SSLVPN, and keep allowing the Sophos to resolve the FQDN as they do change often. (and not kick clients off)

 

Thanks 



This thread was automatically locked due to age.
  • 0

    I haven't seen this before, so thanks for bringing it to everyone's attention.  In this case, I don't see anything other than sending all traffic for 52.92.0.0/14 through the tunnel.  Maybe you would want to just limit to the specific eu-west-1 AWS subnets:

    52.92.40.0/21, 52.93.0.0/24, 52.93.112.34/32, 52.93.112.35/32, 52.93.16.0/24, 52.93.17.16/32, 52.93.17.17/32, 52.93.18.178/32, 52.93.18.179/32, 52.93.2.0/24, 52.93.21.14/32, 52.93.21.15/32, 52.94.196.0/24, 52.94.216.0/21, 52.94.24.0/23, 52.94.248.16/28, 52.94.26.0/23, 52.94.5.0/24, 52.95.104.0/22, 52.95.112.0/20, 52.95.244.0/24, 52.95.255.64/28, 52.95.60.0/24, 52.95.61.0/24

    You can get the specific IP ranges for each AWS region from a download at https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.  The date of the above is April 24, so you might check for changes whenever you get a disconnection complaint.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML