Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 3354 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect Client loses connection

Sebastian Ussar

Hi everyone, I'm totally new to the Sophos topic.

We use a Sophos XG 135 with SFOS 17.5.14 MR-14-1 and the Sophos connect client for our home office employees. More and more of my colleagues are reporting connection problems. The colleagues work on a terminal server. a few times a day the Connect Client disguises the connection and thus also the terminal session. After reconnecting, it works again for a while.

The client log says that DPD cut the connection. Strangely, all colleagues dont lose the connection at the same time. 1 - 2 times throughout the day. I dont think its the internet connection in the HQ.

Since i´m new, i have to admit that i dont know exactly where to start looking.

Any tips or recommendations?



This thread was automatically locked due to age.
  • 0

    Hi @Sebastian

    can you please tell us about your connect client - is it using SSL VPN or IPSec? -> depends on where to find the log files.

    Do you have Dynamic DNS on your VPN Gateway FQDN or is it a static IP with static DNS?

    Do the clients connect with FQDN or IP?

    Also a screenshot of your VPN Settings would be helpful.

  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    In addition to questions from , do you have IPsec site to site tunnels configured on your firewall? Have you noticed the IPsec site to site disconnects around the time Connect Client users get disconnected? 

    Thanks,

  • 0

    Hi Sebastian,

    When we switched to using SophosConnect for remote working we noticed the same thing, connections would die after 4-5 hours. It turned out that SophosConnect uses the IPSec policy named "Default Remote Access Policy". The IKE keylife was set at 4-5 hours, and since it's IKEv1 it won't recreate a key to connect unlike IKEv2. The workaround that was passed to us was to use a psql command to update that policy via command line.

    I can send that to you if you like. I won't post it here as I don't know if it's a supported workaround...

    Cheers,

    Robin

  • 0 in reply to Robin Lowe

    Hello and thanks for the answer.

    Unfortunately I can't say exactly whether it will happen after 4 hours.. If you could send me the workaround, that would be great! I will not publish it.


    Cheers,


    Sebastian

  • 0 in reply to Sebastian Ussar

    Hi, it would be great for others who want to help or who have the same issue, if you share details about your config.

  • 0 in reply to LHerzog

    Hello

    Thanks for the answer. We have a static IP and the client connects through this. Here are the screenshots of the VPN configuration. The client connect via IPsec.

  • 0 in reply to FormerMember

    Hi ,

    yes we have an side-to-side Ipsec tunnel and it works good. I have not yet been able to detect any simultaneous interruptions.

    Thanks!

  • 0 in reply to Sebastian Ussar

    since you use IPSec - it sounds like the issue can be fixed by the workaround mentioned.

    Please keep us informed here.

  • 0 in reply to LHerzog

    This command is a database change, which is actually highly unsupported. So personally i would recommend not to share such commands in the community because they can cause unstable systems (resulting in unsupported systems). So if you want to use those commands, please keep them for yourself or share them 1:1, but not in the community, as somebody could google them, incorrectly use them and broke their systems. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi, didn't ask him to share she psql command but his config. The sorting of the answers here is some kind of weird so probably your warning is because of that.

    please open a support case and ask for the case ID - this should speed up the case so they can check if the workaround applies to your issue. If there is some Tech ID about the low keylife issue in the default policy, would be great if it this is shared here.

    Sophos should really let admins change the IPSec policy for User VPN - cannot understand why this has not been enabled.

Unfiltered HTML