SSL VPN setup - Sophos XG in Azure

Question

Hi all

I need some guidance on getting SSL VPN working on the XG. I'm going to migrate some workloads for a client to Microsoft Azure. I have started building the Azure network, and placed a Sophos XG in a perimeter Azure vNet, following this guide. community.sophos.com/.../128102. 
 The idea is to have a site-to-site VPN between On-prem office Sophos XG and Sophos XG in Azure. 
 Remote workers are going to use SSL VPN to connect to Sophos XG in Azure. I have followed this guide to configure SSL VPN for clients. community.sophos.com/.../122769 
 
 Users can&rsquo;t connect. I see this in the Sophos client log: 
 
 Sat Mar 17 09:07:43 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 
 Sat Mar 17 09:07:43 2018 Need hold release from management interface, waiting... 
 Sat Mar 17 09:07:43 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 
 Sat Mar 17 09:07:43 2018 MANAGEMENT: CMD 'state on' 
 Sat Mar 17 09:07:43 2018 MANAGEMENT: CMD 'log all on' 
 Sat Mar 17 09:07:43 2018 MANAGEMENT: CMD 'hold off' 
 Sat Mar 17 09:07:43 2018 MANAGEMENT: CMD 'hold release' 
 Sat Mar 17 09:07:47 2018 MANAGEMENT: CMD 'username "Auth" "User1"' 
 Sat Mar 17 09:07:47 2018 MANAGEMENT: CMD 'password [...]' 
 Sat Mar 17 09:07:47 2018 MANAGEMENT: CMD 'proxy HTTP 40.91.198.181 8443' 
 Sat Mar 17 09:07:48 2018 Socket Buffers: R=[65536->65536] S=[65536->65536] 
 Sat Mar 17 09:07:48 2018 Attempting to establish TCP connection with [AF_INET]40.91.198.181:8443 [nonblock] 
 Sat Mar 17 09:07:48 2018 MANAGEMENT: >STATE:1521274068,TCP_CONNECT,,,,,, 
 Sat Mar 17 09:07:49 2018 TCP connection established with [AF_INET]40.91.198.181:8443 
 Sat Mar 17 09:07:49 2018 Send to HTTP proxy: 'CONNECT 10.47.0.4:8443 HTTP/1.0' 
 Sat Mar 17 09:07:49 2018 recv_line: TCP port read failed on recv() 
 Sat Mar 17 09:07:49 2018 SIGUSR1[soft,init_instance] received, process restarting 
 Sat Mar 17 09:07:49 2018 MANAGEMENT: >STATE:1521274069,RECONNECTING,init_instance,,,,, 
 Sat Mar 17 09:07:49 2018 Restart pause, 5 second(s) 
 Sat Mar 17 09:07:54 2018 MANAGEMENT: CMD 'proxy HTTP 40.91.198.181 8443' 
 Sat Mar 17 09:07:55 2018 Socket Buffers: R=[65536->65536] S=[65536->65536] 
 Sat Mar 17 09:07:55 2018 Attempting to establish TCP connection with [AF_INET]40.91.198.181:8443 [nonblock] 
 Sat Mar 17 09:07:55 2018 MANAGEMENT: >STATE:1521274075,TCP_CONNECT,,,,,, 
 Sat Mar 17 09:07:56 2018 TCP connection established with [AF_INET]40.91.198.181:8443 
 Sat Mar 17 09:07:56 2018 Send to HTTP proxy: 'CONNECT 10.47.1.4:8443 HTTP/1.0' 
 Sat Mar 17 09:07:56 2018 recv_line: TCP port read failed on recv() 
 Sat Mar 17 09:07:56 2018 SIGUSR1[soft,init_instance] received, process restarting 
 Sat Mar 17 09:07:56 2018 MANAGEMENT: >STATE:1521274076,RECONNECTING,init_instance,,,,, 
 Sat Mar 17 09:07:56 2018 Restart pause, 5 second(s) 
 Sat Mar 17 09:07:58 2018 SIGTERM[hard,init_instance] received, process exiting 
 Sat Mar 17 09:07:58 2018 MANAGEMENT: >STATE:1521274078,EXITING,init_instance,,,,,

I have opened ports in the Azure Network security group (any). The vNet in Azure have the 10.47.0.0/16 address space, with SophosXG-Public-DMZ-Frontend-WAN as 10.47.0.0/24 and SophosXG-Public-DMZ-Backend-LAN in the 10.47.1.0/24 subnet. 
 Any help would be highly appreciated!

Dirk Sterzenbach · Accepted Answer

Thanks to everybody who tried to help. 
 It is pretty emberassing but I made a real simple mistake. In the SSL VPN policy I added a (wrong) group which was similar to the one I should have added - but of course not matching the users I treid to get access with. 
 But again thanks to all contributors, in the end all helped to solve the problem. BTW investigating my issue I found the policy tester very helpful. 
 Cheers Dirk

SSL VPN setup - Sophos XG in Azure

Top Replies