Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 3346 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect Client loses connection

Sebastian Ussar

Hi everyone, I'm totally new to the Sophos topic.

We use a Sophos XG 135 with SFOS 17.5.14 MR-14-1 and the Sophos connect client for our home office employees. More and more of my colleagues are reporting connection problems. The colleagues work on a terminal server. a few times a day the Connect Client disguises the connection and thus also the terminal session. After reconnecting, it works again for a while.

The client log says that DPD cut the connection. Strangely, all colleagues dont lose the connection at the same time. 1 - 2 times throughout the day. I dont think its the internet connection in the HQ.

Since i´m new, i have to admit that i dont know exactly where to start looking.

Any tips or recommendations?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Sebastian,

    When we switched to using SophosConnect for remote working we noticed the same thing, connections would die after 4-5 hours. It turned out that SophosConnect uses the IPSec policy named "Default Remote Access Policy". The IKE keylife was set at 4-5 hours, and since it's IKEv1 it won't recreate a key to connect unlike IKEv2. The workaround that was passed to us was to use a psql command to update that policy via command line.

    I can send that to you if you like. I won't post it here as I don't know if it's a supported workaround...

    Cheers,

    Robin

Reply
  • 0

    Hi Sebastian,

    When we switched to using SophosConnect for remote working we noticed the same thing, connections would die after 4-5 hours. It turned out that SophosConnect uses the IPSec policy named "Default Remote Access Policy". The IKE keylife was set at 4-5 hours, and since it's IKEv1 it won't recreate a key to connect unlike IKEv2. The workaround that was passed to us was to use a psql command to update that policy via command line.

    I can send that to you if you like. I won't post it here as I don't know if it's a supported workaround...

    Cheers,

    Robin

Children
  • 0 in reply to Robin Lowe

    Hello and thanks for the answer.

    Unfortunately I can't say exactly whether it will happen after 4 hours.. If you could send me the workaround, that would be great! I will not publish it.


    Cheers,


    Sebastian

  • 0 in reply to Sebastian Ussar

    Hi, it would be great for others who want to help or who have the same issue, if you share details about your config.

  • 0 in reply to LHerzog

    This command is a database change, which is actually highly unsupported. So personally i would recommend not to share such commands in the community because they can cause unstable systems (resulting in unsupported systems). So if you want to use those commands, please keep them for yourself or share them 1:1, but not in the community, as somebody could google them, incorrectly use them and broke their systems. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi, didn't ask him to share she psql command but his config. The sorting of the answers here is some kind of weird so probably your warning is because of that.

    please open a support case and ask for the case ID - this should speed up the case so they can check if the workaround applies to your issue. If there is some Tech ID about the low keylife issue in the default policy, would be great if it this is shared here.

    Sophos should really let admins change the IPSec policy for User VPN - cannot understand why this has not been enabled.

  • 0 in reply to LHerzog

    I agree, or be able to edit the default ones.

    Also a note, I did not receive a case number as this was done when we were migrating our offices to XG and we had the help of Sophos Professional Services. The engineer that I was working with was the one to share the command with me.

    yes this is exactly why I didn't want to share it. Also I'm unable to send you a private message, can you send me one?

    Cheers,

    Robin

Unfiltered HTML