One of my clients has their domain controllers running as 2 VMs on VMware ESXi 5.5 at their head office, and there are 4 other branch offices. All the offices connect back to the Head Office via site-to-site VPN using Sophos XG/XGS firewalls. DHCP for each office is handled by it's local Sophos Firewall.
All Branch Offices have distinct network IDs (192.168.x.1).
Branch offices A, B and C have no issues connecting to all domain resources at the Head Office. E.g. domain authentication, network file shares.
Branch office D, however, has fundamental issues. When a new client is first set up at Branch Office D, it works fine. It is able to authenticate and join the domain ad well as access network file shares. However, within a month or two, domain connectivity almost completely stops working. The first symptom is that network file shares stop responding. Whenever you try to access a network mapped drive, the green progress bar starts moving across slowly until it errors out or just displays an empty explorer window. Domain authentication is the next thing to stop working. Logging into the same PC/server with a domain account becomes impossible because the domain controller cannot be reached. I had set up an RODC at Branch Office D and it barely stayed online properly for one weekend. Thereafter, every logon attempt ended with "RPC failed" on the lock screen.
While doing some on-site troubleshooting the other day on a critical PC that lost network file share access, I decided to partition the hard drive and install a fresh copy of Windows 10 and try to access the same location and determine whether the issues were a result of an issue specific to that Windows instance. However, the test still failed. I then plugged that same network cable into my field laptop and I was able to access the said network shares by providing valid domain credentials. I had earlier tried new IP addresses on affected PCs with no success, so I began to suspect that the MAC address was getting blocked.
I looked up how to manually set a custom MAC address within the Network Card Advanced properties page, and once each PC was granted network access by the firewall, all connectivity was fully restored, including domain traffic and internet access.
I did lots of further testing involving MAC addresses and IP addresses and discovered that only a new combination of a new MAC and a new IP address was being allowed through the firewall properly and completely.
Trouble is that I feel like I will have to assign a new combination of MAC and IP sooner rather than later, once network access goes down again.
I am a very new Sophos user, but I would like to understand what might be going on here? Are there any flood mitigation or anti-spoofing settings or rules that might be causing this? Branch Offices A, B, and C have the same firewall config and vendor, but none of these issues.
Any and all help will be greatly appreciated!
