Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 1 answer
  • Subscribers 35 subscribers
  • Views 83918 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection may fail because IKE UDP Port seems to be blocked

Max Roberts

Hi,

I've upgraded to 17.5 and I am trying to use the new Sophos VPN Client and I get the above message when logging on. No connection can be created. Please help. I've tried turning off the firewall on my PC and my local router. Is there something else I need to enable on the Sophos XG?

Cheers,

Max



This thread was automatically locked due to age.
  • 0 in reply to rmk_2018

    Got the following from the tcpdump. Seems it tries it but it the XG does not respond

     

    08:52:26.582436 vxlan3, IN:   P 00:21:6a:80:c9:8e ethertype Unknown (0x0064), length 76:
            0x0000:  0000 0800 4500 0038 40df 0000 8011 285a  ....E..8@.....(Z
            0x0010:  c0a8 2d0b 42a2 a126 eb2f 01f4 0024 30e6  ..-.B..&./...$0.
            0x0020:  0001 0203 0405 0607 0000 0000 0000 0000  ................
            0x0030:  0010 0400 0000 0000 0000 0000            ............
    08:52:26.582436 vxlan3.100, IN: IP x.x.x.x.60207 > x.x.x.x.500: isakmp: phase 1 I agg
    08:52:26.582436 WIFI, IN: IP x.x.x.x.60207 > x.x.x.x.500: isakmp: phase 1 I agg
    08:52:29.038232 vxlan3, IN:   P 00:21:6a:80:c9:8e ethertype Unknown (0x0064), length 252:
            0x0000:  0000 0800 4500 00e8 40e0 0000 8011 27a9  ....E...@.....'.
            0x0010:  c0a8 2d0b 42a2 a126 dfc2 01f4 00d4 efa3  ..-.B..&........
            0x0020:  4053 2a68 a845 f80f 0000 0000 0000 0000  @S*h.E..........
            0x0030:  0110 0200 0000 0000 0000 00cc 0d00 0050  ...............P
            0x0040:  0000 0001 0000 0001 0000 0044 0001 0002  ...........D....
    08:52:29.038232 vxlan3.100, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:29.038232 WIFI, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:32.030608 vxlan3, IN:   P 00:21:6a:80:c9:8e ethertype Unknown (0x0064), length 252:
            0x0000:  0000 0800 4500 00e8 40e1 0000 8011 27a8  ....E...@.....'.
            0x0010:  c0a8 2d0b 42a2 a126 dfc2 01f4 00d4 efa3  ..-.B..&........
            0x0020:  4053 2a68 a845 f80f 0000 0000 0000 0000  @S*h.E..........
            0x0030:  0110 0200 0000 0000 0000 00cc 0d00 0050  ...............P
            0x0040:  0000 0001 0000 0001 0000 0044 0001 0002  ...........D....
    08:52:32.030608 vxlan3.100, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:32.030608 WIFI, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:38.030368 vxlan3, IN:   P 00:21:6a:80:c9:8e ethertype Unknown (0x0064), length 252:
            0x0000:  0000 0800 4500 00e8 40e2 0000 8011 27a7  ....E...@.....'.
            0x0010:  c0a8 2d0b 42a2 a126 dfc2 01f4 00d4 efa3  ..-.B..&........
            0x0020:  4053 2a68 a845 f80f 0000 0000 0000 0000  @S*h.E..........
            0x0030:  0110 0200 0000 0000 0000 00cc 0d00 0050  ...............P
            0x0040:  0000 0001 0000 0001 0000 0044 0001 0002  ...........D....
    08:52:38.030368 vxlan3.100, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:38.030368 WIFI, IN: IP x.x.x.x.57282 > x.x.x.x.500: isakmp: phase 1 I ident
    08:52:50.673387 vxlan3, IN:   P b0:ca:68:7c:9e:80 ethertype Unknown (0x0065), length 472:
            0x0000:  0000 0800 4500 01c4 9905 0000 4011 c69a  ....E.......@...
            0x0010:  c0a8 3216 81c0 a50a 01f4 01f4 01b0 99a9  ..2.............
            0x0020:  03f6 c590 5fd0 4d73 0000 0000 0000 0000  ...._.Ms........
            0x0030:  2120 2208 0000 0000 0000 01a8 2200 0030  !."........."..0
            0x0040:  0000 002c 0101 0004 0300 000c 0100 000c  ...,............

  • 0 in reply to rfcat_vk

    , can you show your firewall configuration for IKE?

  • 0 in reply to Luis Londono

    Hi Luis,

    I have now been able to have a good look at your rule, it is very strange?  Where is the IKE device located, the rule implies it is internal and you are using the wrong setup for the ports, you need to reverse them.

    I had to return the device that used IKE when I retired and have since deleted the rule.

    Ian

  • 0 in reply to rfcat_vk

    Same problem here,

     

    What ports exactly does Sophos Connect Client use?

  • +2 in reply to Clemilton Clementino

    Hello Clemilton,

    Sophos Connect Client uses UDP port 500 and 4500 for IKE negotiations. So here are some steps you can use to troubleshoot this problem.

    1) If there are other users who can connect to this gateway with Sophos Connect then the firewall rules are configured correctly on this gateway and is able to handle ISAKMP negotiations. If no one is able to connect then most likely there is a problem with the configuration on the gateway.

    2) Check scvpn.log (can be found in the Sophos Connect install folder on  windows and /var/log on Mac). Make sure the gateway hostname or IP is correct.

    3) To stop the client from doing the pre-connectivity check, run this CLI command. Open a Command prompt. Change directory to the install folder. Then run this command: sccli update -n <connectionname> -l and then try to enable the connection. To enable the pre-connectivity checks run this command: sccli update -n <connectionname> -k

    4) If the connection works after you disable the pre-connectivity check and if you are running Sophos Connect 1.2, then it is best if you upgrade your install to Sophos Connect 1.3 EAP1 available in the forum.  It has some improvement added to the pre-connectivity checks.

    5) If the connection still does not work after you disable the pre-connectivity check then it means the UDP port 500 is being blocked somewhere along the path from your machine to the gateway.

     

    Please provide feedback so we can help other users who are running into this same problem.

     

    Thank you,

    Ramesh

  • 0 in reply to rmk_2018

    Thanks Ramesh!

     

    UDP 4500 was blocked. Once unblocked, the connection works like a charm!

    [:D]

  • 0 in reply to Clemilton Clementino

    Thank you Clemilton for the quick update.

     

    Can I ask you where was UDP 4500 blocked?

     

    Ramesh

  • 0 in reply to Clemilton Clementino

    Again for the benefit of the other forum users I need your help. How were you able to determine that it was your ISP that blocked UDP port 4500. Even though it was blocked by your ISP how did you get them to unblock it? Can you share that so other users who run into similar situation will be able to get it resolved. 

     

    Thanks a lot for your time.

     

    Ramesh

  • 0 in reply to rmk_2018

    I researched the documentation and found the port configuration used for SSL VPN. No other configuration is intended to change VPN ports, so I understood that the port used by Sophos Connect was the 8443 only. After looking at the Sophos Client log, I saw a connection failure on the UDP port 500, so I understood that there were more ports involved in the connection. I asked for help and you answered by stating that port 4500 was also used. I got in touch with my ISP and asked for the release of all these ports, and the connection occurred.

    [:)]