Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 37 subscribers
  • Views 3899 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS not working

IT IT7

XG115, 17.5 MR-13.

Branch Office router (172.16.16.16 currently) with IPSec VPN to Main Office (192.168.1.1) working.

DCs are at Main Office on 192.168.1.12 and .72.

STAS Suite installed on 192.168.1.20 and .27, both with user lists populated. Windows FIrewall exceptions for TCP/5566, TCP/27015, UDP/6677 and UDP/50001 in place.

STAS diagnostic for connection to XG succeeds.

At the BO XG, AD auth set up and working as per https://community.sophos.com/kb/en-us/123154. OUs and Groups imported. Can log on to captive portal with AD creds and AD account will be added to the Users list. 

Output from CLI follows:

console> system auth cta show
CTA Status : enable
CTA Collector : enable
Unauth-Traffic Drop Time: 120 sec
============================================================
Collector IP : Collector Port : Collector Group
------------------------------------------------------------
192.168.1.20 : 6677 : 1
192.168.1.27 : 6677 : 1
=========================================
VPN Source Network : VPN Source Netmask
-----------------------------------------
172.16.16.0 : 255.255.255.0

console> show advanced-firewall
Strict Policy : on
FtpBounce Prevention : control
Tcp Conn. Establishment Idle Timeout : 10800
UDP Timeout Stream : 60
Fragmented Traffic Policy : allow
Midstream Connection Pickup : off
TCP Seq Checking : on
TCP Window Scaling : on
TCP Appropriate Byte Count : on
TCP Selective Acknowledgements : on
TCP Forward RTO-Recovery[F-RTO] : off
TCP TIMESTAMPS : off
Strict ICMP Tracking : off
ICMP Error Message : allow
IPv6 Unknown Extension Header : deny


Bypass Stateful Firewall
------------------------
Source Genmask Destination Genmask


NAT policy for system originated traffic
---------------------
Destination Network Destination Netmask Interface SNAT IP
192.168.1.12 255.255.255.255 172.16.16.16
192.168.1.72 255.255.255.255 172.16.16.16
192.168.1.20 255.255.255.255 172.16.16.16
192.168.1.27 255.255.255.255 172.16.16.16

172.16.16.16 does not appear in either STAS as a served appliance.

STAS log on both STAS's shows 

MSG [0x1cf8] 8/12/2020 16:38:58 : SSO_client_update_heartbeat: cr_node:172.16.16.16 is_active:0

TCPDUMP 'PORT 6677' does not show any connections.

I opened Sophos ticket 10036103 for this. Support did not do ANY of the diagnostics I've reported above, much of which I've learned by lurking on forum posts here. Instead, he focused exclusively on the captive portal--while use of the captive portal is the reason I want to use STAS in the first place! So after a useless 2 hour call, I told him to close the ticket. My take was he did not know anything about STAS and meticulously avoided dealing with it.

Where do I go from here?

BTW, this used to work (with both Cyberoam CRs and Sophos XGs against CTAS). Then all but the main office CR stopped working with CTAS, and I don't think the 2 Sophos have ever worked with STAS. I do not know exactly when this happened or what changed at that time. 



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi  

    Apologies for the inconvenience caused.

    Could you please ensure that the Client Authentication for the VPN Zone is enabled?

    Go to Administration > Device Access, under the Local Service ACL section, enable Client Authentication for the VPN Zone.

    Thanks,

Reply
  • FormerMember
    0 FormerMember

    Hi  

    Apologies for the inconvenience caused.

    Could you please ensure that the Client Authentication for the VPN Zone is enabled?

    Go to Administration > Device Access, under the Local Service ACL section, enable Client Authentication for the VPN Zone.

    Thanks,

Children
  • 0 in reply to FormerMember

    Thanks for your reply. Client Auth is enabled for the VPN zone.

  • FormerMember
    0 FormerMember in reply to IT IT7

    Hi  

    Thank you for the update. 

    If client authentication is enabled for the VPN zone and system routes are added on the BO, the BO firewall should be able to communicate to the HO firewall for authentication. 

    I would like you to double-check the configuration with the following KBA: Sophos XG Firewall: How to allow Clientless SSO (STAS) authentication over a VPN.

    Thanks,

  • 0 in reply to FormerMember

    Thanks for the reply. Double-, triple-, quadruple-checked that article. And against my own documentation that combines your 3 or 4 articles into one.

    Please look at the output from--

    system auth cta show

    show advanced-firewall

    --in my original post. I just discovered I left one out. Here's the last--

    console> system ipsec_route show                                                
    tunnelname              host/network        netmask                             
    TPI_Corporate           192.168.1.12        255.255.255.255                     
    TPI_Corporate           192.168.1.72        255.255.255.255                     
    TPI_Corporate           192.168.1.20        255.255.255.255                     
    TPI_Corporate           192.168.1.27        255.255.255.255            

    Everything's there, as near as I can tell. Can you see anything missing?         

  • FormerMember
    0 FormerMember in reply to IT IT7

    Hi  

    Thank you for the update. 

    Could you please disable STAS on the BO if it is enabled? 

    Thanks,

  • 0 in reply to FormerMember

    Thanks for your reply.

    If you mean Authentication/STAS/Enable STAS, yes, it is enabled. But I'm not seeing where you're heading with this. Won't disabling it prevent STAS from ever working??

  • FormerMember
    0 FormerMember in reply to IT IT7

    Hi  

    If users are going to be authenticated on the HO, then you do not have to have STAS enabled in the branch office. You can re-enable STAS if requirement changes in the future.

    Thanks,

  • 0 in reply to FormerMember

    Thanks for the reply.

    I don't understand "authenticated on the HO".

    The HO router is a Cyberoam CR35iNG on CTAS. Are you saying the BO router will delegate authentication to the MO router? For example, I can set up per-Group web filtering at the BO and the BO router will know to use the user's group membership as seen by CTAS on the MO router?

  • 0 in reply to IT IT7

    Hello IT IT7,

    We reached out to the engineer that was handling the case to create a new case (10051438) so he could work with you again, I see in the ticket that you requested to reach out on Monday, please provide if possible in the ticket a small network diagram, and what specifically you want to achieve. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML