This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN on a UTM SG310 has RDP Issues

We've been dealing with this mystery for several months now and we're no closer to an answer today than we were back in late Feb. 

In Dec 2015, we deployed 2 UTM SG310 in HA mode. We slowly transitioned our separate functions, firewall, webfilter, email scanning, VPN, etc. over to the UTM. Every week or so we would move one service over. Wherever we could, we did soft launches lasting several weeks so we could soak test the UTM's handling of the functionality.

Generally speaking, all was going well, we soak tested the VPN for about a month as we added more and more users to it from our retiring Cisco ASA device. Things were rock solid. Then, when we moved all 50 or so staff to the Sophos UTM SSL VPN, things got bumpy. We heard scattered reports that the VPN would disconnect at random, forcing the user to reconnect and re-login to the RDP session. At first we thought it was their home internet, then we heard more reports from other locations. Wired or wireless. Then, we were able to replicate the results. At random people would lose their VPN tunnel, it would reconnect, reprompt for creds, then allow them to continue.

So, we did what any IT guys like us would do, we Googled it. We found a recommendation on the OpenVPN help guides to change the protocol and port from TCP 443 to UPD 1194. So we did, we updated all of the clients too. The disconnect went away! Victory, right? Wrong. The tunnel now stayed up, but the RDP sessions now randomly disconnected. The amount and frequency of this occurring was and is completely random, some days people have little to no issue and other days its every few minutes. The "disconnected, retrying x out of 20 times" message appears. Typically they have to wait a few seconds, but it takes them out of their workflow. There are instances where our doctors (did I mention we're a medical practice?) get so upset they just give up using the system for the rest of their clinic (we go to remote sites that require software VPNs).

Things got so bad, we reverted to using the Cisco AnyConnect on the Cisco ASA until we can solve the problem. Our MSP is stumped, and we're stumped too. We've Wiresharked all the things, had Sophos Technical look at our configuration, and are now in the process of swapping out internal switches. I am not convinced it is our Sophos UTM*, I think there is something else going on. My coworker & the MSP are convinced it is the SG310, so we're (temporarily) running the Sophos alongside an equivalent SonicWall in a few days to see if the SonicWall has similar behavior.

I should mention the RDP disconnects occur regardless of what PC or server you're connected to, so I get it when I'm RDP'ing to my desktop and a doctor gets it when he RDPs to a Terminal Server. Doesn't matter time of day or number of users on the system.

Any ideas or suggestions on what the cause of this might be?

*by "not the UTM" I mean that I don't think it is a hardware problem, there might be a misconfiguration that is causing this...but I sure don't see it and neither did Sophos UTM support.



This thread was automatically locked due to age.
Parents
  • Hi I just wanted to see if you ever found out what the issues was with this. We are having similar issues with our XG310 since January. 

  • Yes, we ended up adding a SNAT that looked like this:

    Traffic Selector - VPN Pool (SSL) > Any > Internal IP Schema

    Source Translation - Internal Ethernet (address)

    Automatic Firewall Rule: Y

    Internal Packets are logged: N

  • When I see a SNAT solve a problem, I know there's a routing issue.  See #3 through #5 in Rulz - my guess is #3.1 - default gateway (DG).  Another solution is to add routes to the devices that don't have the UTM as their DG.  Finally, the cleanest solution would be creating a route in their DG that routes traffic for 10.242.2.0/24 to the UTM.  If that wasn't the issue and you discover what it was, please come back and let us know.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • When I see a SNAT solve a problem, I know there's a routing issue.  See #3 through #5 in Rulz - my guess is #3.1 - default gateway (DG).  Another solution is to add routes to the devices that don't have the UTM as their DG.  Finally, the cleanest solution would be creating a route in their DG that routes traffic for 10.242.2.0/24 to the UTM.  If that wasn't the issue and you discover what it was, please come back and let us know.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob, that was the solution Sophos Level III support put into the UTM.

    Since this issue, we changed IT companies and ended up ripping out then 1-year old UTM and replacing it with their solution. So I can't speak to any further changes or configurations.