This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection may fail because IKE UDP Port seems to be blocked

Hi,

I've upgraded to 17.5 and I am trying to use the new Sophos VPN Client and I get the above message when logging on. No connection can be created. Please help. I've tried turning off the firewall on my PC and my local router. Is there something else I need to enable on the Sophos XG?

Cheers,

Max



This thread was automatically locked due to age.

Top Replies

  • Hello Clemilton,

    Sophos Connect Client uses UDP port 500 and 4500 for IKE negotiations. So here are some steps you can use to troubleshoot this problem.

    1) If there are other users who can connect to this gateway with Sophos Connect then the firewall rules are configured correctly on this gateway and is able to handle ISAKMP negotiations. If no one is able to connect then most likely there is a problem with the configuration on the gateway.

    2) Check scvpn.log (can be found in the Sophos Connect install folder on  windows and /var/log on Mac). Make sure the gateway hostname or IP is correct.

    3) To stop the client from doing the pre-connectivity check, run this CLI command. Open a Command prompt. Change directory to the install folder. Then run this command: sccli update -n <connectionname> -l and then try to enable the connection. To enable the pre-connectivity checks run this command: sccli update -n <connectionname> -k

    4) If the connection works after you disable the pre-connectivity check and if you are running Sophos Connect 1.2, then it is best if you upgrade your install to Sophos Connect 1.3 EAP1 available in the forum.  It has some improvement added to the pre-connectivity checks.

    5) If the connection still does not work after you disable the pre-connectivity check then it means the UDP port 500 is being blocked somewhere along the path from your machine to the gateway.

     

    Please provide feedback so we can help other users who are running into this same problem.

     

    Thank you,

    Ramesh

    Jump to answer
Parents
  • Hi,

    does your firewall rule allow IKE port 4500 out? When viewing the log viewer what rule do you see IKE failing with?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • Good day Ian,

    Hope you find this mail in good health , im getting a similar error message. When you say create firewall allowing IKE service, where should i be mentioning the port number

     

    Appreciate any assistance

    Thanks


    Raj

  • Hi Raj,

    the XG comes with a predefined service for IKE.

    You add this to the firewall rule to replace what other ports you have in the services.

    If you still get the error follow some of the previous posters suggestions.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks Ian for your message

    Have created a firewall rule as below :

    Source , Source Network , Destination and Destination Network as Any 

    Services as IKE

    Added required user to user or groups

    Use Outbound Address : MASQ ( since it asked for a NAT policy )

    Hope its right config

Reply
  • Thanks Ian for your message

    Have created a firewall rule as below :

    Source , Source Network , Destination and Destination Network as Any 

    Services as IKE

    Added required user to user or groups

    Use Outbound Address : MASQ ( since it asked for a NAT policy )

    Hope its right config

Children
No Data