Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 1 answer
  • Subscribers 35 subscribers
  • Views 83929 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection may fail because IKE UDP Port seems to be blocked

Max Roberts

Hi,

I've upgraded to 17.5 and I am trying to use the new Sophos VPN Client and I get the above message when logging on. No connection can be created. Please help. I've tried turning off the firewall on my PC and my local router. Is there something else I need to enable on the Sophos XG?

Cheers,

Max



This thread was automatically locked due to age.
Parents
  • 0

    Any luck on this? In the client log it sends the packets to x.x.x.x:500 and after about 5 attempts it gives up.

     

    I have in the firewall rule both UDP 4500 and UDP 500 to be allowed but still it is blocked. Is one of the device access check boxes needed to enable this?

     

    Log viewer shows its being blocked with no firewall rules matching it.

  • 0 in reply to Luis Londono

    Please post screen shot of your rule that is supposed to pass the IE connections.

    Ian

  • 0 in reply to Luis Londono

    Hi Luis,

    I have now been able to have a good look at your rule, it is very strange?  Where is the IKE device located, the rule implies it is internal and you are using the wrong setup for the ports, you need to reverse them.

    I had to return the device that used IKE when I retired and have since deleted the rule.

    Ian

  • 0 in reply to rfcat_vk

    Same problem here,

     

    What ports exactly does Sophos Connect Client use?

  • +2 in reply to Clemilton Clementino

    Hello Clemilton,

    Sophos Connect Client uses UDP port 500 and 4500 for IKE negotiations. So here are some steps you can use to troubleshoot this problem.

    1) If there are other users who can connect to this gateway with Sophos Connect then the firewall rules are configured correctly on this gateway and is able to handle ISAKMP negotiations. If no one is able to connect then most likely there is a problem with the configuration on the gateway.

    2) Check scvpn.log (can be found in the Sophos Connect install folder on  windows and /var/log on Mac). Make sure the gateway hostname or IP is correct.

    3) To stop the client from doing the pre-connectivity check, run this CLI command. Open a Command prompt. Change directory to the install folder. Then run this command: sccli update -n <connectionname> -l and then try to enable the connection. To enable the pre-connectivity checks run this command: sccli update -n <connectionname> -k

    4) If the connection works after you disable the pre-connectivity check and if you are running Sophos Connect 1.2, then it is best if you upgrade your install to Sophos Connect 1.3 EAP1 available in the forum.  It has some improvement added to the pre-connectivity checks.

    5) If the connection still does not work after you disable the pre-connectivity check then it means the UDP port 500 is being blocked somewhere along the path from your machine to the gateway.

     

    Please provide feedback so we can help other users who are running into this same problem.

     

    Thank you,

    Ramesh

  • 0 in reply to rmk_2018

    Thanks Ramesh!

     

    UDP 4500 was blocked. Once unblocked, the connection works like a charm!

    [:D]

  • 0 in reply to Clemilton Clementino

    Thank you Clemilton for the quick update.

     

    Can I ask you where was UDP 4500 blocked?

     

    Ramesh

  • 0 in reply to Clemilton Clementino

    Again for the benefit of the other forum users I need your help. How were you able to determine that it was your ISP that blocked UDP port 4500. Even though it was blocked by your ISP how did you get them to unblock it? Can you share that so other users who run into similar situation will be able to get it resolved. 

     

    Thanks a lot for your time.

     

    Ramesh

  • 0 in reply to rmk_2018

    I researched the documentation and found the port configuration used for SSL VPN. No other configuration is intended to change VPN ports, so I understood that the port used by Sophos Connect was the 8443 only. After looking at the Sophos Client log, I saw a connection failure on the UDP port 500, so I understood that there were more ports involved in the connection. I asked for help and you answered by stating that port 4500 was also used. I got in touch with my ISP and asked for the release of all these ports, and the connection occurred.

    [:)]

  • 0 in reply to Clemilton Clementino

    Thank you. This is good to know. I thought it will take an arm and a leg to get ISP to change the allowed ports. Anyways I am glad that you were able to get it resolved. So it is good information for other forum users can also use to resolve their problem when they run into a situation.

     

    Best Regards,
    Ramesh

  • 0 in reply to rmk_2018

    Hi Ramesh,

     

    Hope you find this mail in good health , im having similar issue , i have not created any firewall rules yet

    Have done the update via CLI

    Please find attached logs

    Also please advise if its the preshared key that has to be used as the password via connecting to Sophos Connect or the password allocated for each user0184.scvpn.log

    Appreciate any assistance

    cheers

Reply
  • 0 in reply to rmk_2018

    Hi Ramesh,

     

    Hope you find this mail in good health , im having similar issue , i have not created any firewall rules yet

    Have done the update via CLI

    Please find attached logs

    Also please advise if its the preshared key that has to be used as the password via connecting to Sophos Connect or the password allocated for each user0184.scvpn.log

    Appreciate any assistance

    cheers

Children
No Data