Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 25 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 331869 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN, nslookup ok, but no ping

Vodochnik
[SOLVED, but currently for admin user only!]

Hi there,

switched to astaro SSL VPN and have now huge problem:

ping IP works.
ping hostname or FQDN does NOT work
nslookup works.

VPN push internal DNS servers works just fine. They also answers to nslookup, but ping says "host name not found".

Same behavior for internal and external domains like google.com.
[:@] But sometimes it works just fine! [:@] 

VPN connection is on the top in connection list. Flushdns helps _sometimes_.

I have tried to deactivate NetBIOS in adapter settings and it works now, but after "sleep" not anymore.

This drives me crazy, is there any "ready for use" solution? Or does nobody use this buggy feature of astaro?

Similar thread: https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/55090
Some old thread with same prob: https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/53075


This thread was automatically locked due to age.
  • 0 in reply to Vodochnik

    Update 15.08.2017

    SOLUTION 1

    edit client openvpn config file and add / change these settings:

    route-delay 2

    register-dns

    With assistence of Sophos Support it's possble to modify the UTM Config to include these settings in setup.exe ....

     

    SOLUTION 2

    I did a bigger dive to this Problem, because we had lot's of Clients running Windows 7 showing this issue. If you check with Wireshark you will see that the DNS requests are routed to the WLAN / LAN DNS Server, not the SSL VPN Adapter DNS Server. Restarting DNS-Client (dnscache) Service fixes the Problem after establishing the vpn Connections. It's horrible and the root cause of the Problem is not clear.

    A useable fix should be this:

    Assign the Users rights to the Service "dnscache" using a Domain GPO.

    Computer / Policies / Windows Settings / Security Settings  / System Settings / DNS Client / Define -> Automatic
    Add the User or Group and Allow Start, Stop and Pause Right.

    Navigate to the SSL Config Folder:

    C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config

    If your config files Looks like:

    ralf@194.194.194.194.ovpn create a text file with the Name ralf@194.194.194.194_up.bat containing this Code:

    start /min cmd.exe /c "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\dnscache.cmd"
    exit

    Create in the same Folder a text file with the Name dnscache.cmd containing this Content:

    echo ---------------------------- > c:\windows\temp\openvpn.txt 2>&1
    date /t >> c:\windows\temp\openvpn.txt 2>&1
    time /t >> c:\windows\temp\openvpn.txt 2>&1
    net stop dnscache >> c:\windows\temp\openvpn.txt 2>&1
    net start dnscache >> c:\windows\temp\openvpn.txt 2>&1

    After establishing a new VPN Connection the Service dnscache will automatically restart and the Name Resolution should work.

     

    Ralf Luithle

    Luithle & Luithle IT Services

     

  • 0

    Can someone confirm, that this issue is fixed now in Sophos UTM? :)

    I'm still happy with Securepoint SSL VPN Client, but it's buggy by QHD screen resolution (

  • 0
    My solution was to download and install the SSL VPN client from the Sophos User Portal. After installing it as an administrator I then download and install the latest OpenVPN client over it. It assumes all the settings from the Sophos install and it appears to function much better after the computer wakes up from sleep.
  • 0 in reply to ewkid
    This worked for us.
  • 0
    Any update on getting this client to work with non-admin users?
  • 0
    The main reason it requires admin rights is because you are writing files to C:\Program Files (x86) and anything in that directory requires admin rights.

    What you could do is basically create a GPO that gives users admin rights only to that directory.  I've had to do this with a custom piece of software our development team creates for Dynamics CRM.
  • 0
    Hi there,

    is there some new Information or some kind of workaround? It would be very nice, if you could install the config without admin-rights. 

    Thanks LittleBird
  • 0
    F5 networks (FirePass) have nice in-browser solution (java based as far as i know), not requiring admin rights.
    Does anybody know more solutions for enterprise environment?
    I mean environment, where users do not work with admin privileges.

    I can use Securepoint VPN Client and let users download .zip with keys and .ovpn config, but "download .zip and unpack it into directory" is too much for some of them (((
  • 0
    ok... i just wanted to deploy client to all users via AD and let users to download configs from UTM site and install personal configs themselves.
    BUT, config install requires admin privileges too.
    So sophos solution is completely unusable for me.
    It's a pain.
  • 0
    Hi BAlfson,

    I installed client as admin (TAP Device install needs admin), but i need to run client as user, bcoz client is for notebooks of our roadwarriors.
Unfiltered HTML