This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN on a UTM SG310 has RDP Issues

We've been dealing with this mystery for several months now and we're no closer to an answer today than we were back in late Feb. 

In Dec 2015, we deployed 2 UTM SG310 in HA mode. We slowly transitioned our separate functions, firewall, webfilter, email scanning, VPN, etc. over to the UTM. Every week or so we would move one service over. Wherever we could, we did soft launches lasting several weeks so we could soak test the UTM's handling of the functionality.

Generally speaking, all was going well, we soak tested the VPN for about a month as we added more and more users to it from our retiring Cisco ASA device. Things were rock solid. Then, when we moved all 50 or so staff to the Sophos UTM SSL VPN, things got bumpy. We heard scattered reports that the VPN would disconnect at random, forcing the user to reconnect and re-login to the RDP session. At first we thought it was their home internet, then we heard more reports from other locations. Wired or wireless. Then, we were able to replicate the results. At random people would lose their VPN tunnel, it would reconnect, reprompt for creds, then allow them to continue.

So, we did what any IT guys like us would do, we Googled it. We found a recommendation on the OpenVPN help guides to change the protocol and port from TCP 443 to UPD 1194. So we did, we updated all of the clients too. The disconnect went away! Victory, right? Wrong. The tunnel now stayed up, but the RDP sessions now randomly disconnected. The amount and frequency of this occurring was and is completely random, some days people have little to no issue and other days its every few minutes. The "disconnected, retrying x out of 20 times" message appears. Typically they have to wait a few seconds, but it takes them out of their workflow. There are instances where our doctors (did I mention we're a medical practice?) get so upset they just give up using the system for the rest of their clinic (we go to remote sites that require software VPNs).

Things got so bad, we reverted to using the Cisco AnyConnect on the Cisco ASA until we can solve the problem. Our MSP is stumped, and we're stumped too. We've Wiresharked all the things, had Sophos Technical look at our configuration, and are now in the process of swapping out internal switches. I am not convinced it is our Sophos UTM*, I think there is something else going on. My coworker & the MSP are convinced it is the SG310, so we're (temporarily) running the Sophos alongside an equivalent SonicWall in a few days to see if the SonicWall has similar behavior.

I should mention the RDP disconnects occur regardless of what PC or server you're connected to, so I get it when I'm RDP'ing to my desktop and a doctor gets it when he RDPs to a Terminal Server. Doesn't matter time of day or number of users on the system.

Any ideas or suggestions on what the cause of this might be?

*by "not the UTM" I mean that I don't think it is a hardware problem, there might be a misconfiguration that is causing this...but I sure don't see it and neither did Sophos UTM support.



This thread was automatically locked due to age.
Parents
  • No takers on this one?

    Since posting this, I have done some further investigation and found massive amounts of legitimate internal traffic that was being dropped by the Sophos. I have created rules to allow this traffic so long as it is internal sources to internal sources, traffic like RDP, SQL, BOOTPC, NETBIOS, etc. was being dropped. Now that I have done this the amount of RDP disconnects seems to have slowed for some and stopped entirely for others, but there is still some. I don't have a large enough sample yet to determine if it is the UTM still doing that or if it is something else.

    Feedback and input on this issue is appreciated, I'm hopeful this helps me out and perhaps someone else in the future. 

  • Hi, Aaron, and welcome to the UTM Community!

    Did you configure the UTM yourselves, or was it done by someone with a lot of experience?  I ask because there are design decisions that crack Cisco folks make that are not optimal.  WebAdmin is a tool for manipulating databases of objects and settings.  The config daemon consults these databases to write all of the actual lines of code used to perform all of the various functions.  A single change in WebAdmin can change a thousand lines of code.

    Start with #1 in Rulz and let us know if you see anything that might give us an indication.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Aaron, and welcome to the UTM Community!

    Did you configure the UTM yourselves, or was it done by someone with a lot of experience?  I ask because there are design decisions that crack Cisco folks make that are not optimal.  WebAdmin is a tool for manipulating databases of objects and settings.  The config daemon consults these databases to write all of the actual lines of code used to perform all of the various functions.  A single change in WebAdmin can change a thousand lines of code.

    Start with #1 in Rulz and let us know if you see anything that might give us an indication.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • It was mostly setup by me and a Cisco guy. I attended a the web-based UTM basic & advanced training. 

    I am fairly convinced, that the root of the problem lies outside of the UTM and in the network config, but I am not strong enough in my network skills to prove it...

  • I don't have much in the of suggestions as to 'how' to fix, but maybe you can do some other things to 'eliminate' or 'identify' the sophos as the culprit.  The SSL vpn they use is as you indicate a pretty bog-standard openvpn.  I'm new to sophos, but have used openvpn for 6+ years, so the disconnects you are describing is NOT standard or expected.  You could setup a linux box with openvpn on it... could crib quite a bit of the server config, as well as the existing crt/key.  Or, maybe new ones... pretty easy using the easy-rsa setup.  The nice thing about that is you can use the same client on your sites, you just need a second .ovpn file with the new connection profile.  It'll show in the system-tray icon as a new connection/profile.  

    Or, if you aren't comfortable building one... download the commercial openvpn server from openvpn.net - this was founded by the guy who wrote openvpn, they offer linux packages for several distros, or even VM images (MS or VMWare), and "All OpenVPN Access Server downloads come with 2 free client connections for testing purposes.".  Can't beat that to help narrow down what you have going on.