This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Configuration - Can connect when on LAN, but not over WAN

Hello all,

I'm trying to get remote access over the WAN to work. I've done a lot of searching and followed the set up guide for the XG Firewall SSL VPN configuration, I've also watched two videos on the set up to compare and see if I was doing something wrong, however, I haven't been able to determine the issue yet. I made sure of the device access for SSL VPN, firewall rule, VPN group/policy, authentication server, advanced SSL VPN settings, over TCP port 8443 (even tried other ports and UDP) etc, everything is in place.

After configuring and downloading the client to test, if I leave my PC connected to our LAN, X.X.161.0/24 (XG LAN interface is 161.1) the VPN client connects successfully and I get an IP in my SSL VPN range. But if I unplug my PC's LAN connection, connect my PC to my phone's wireless hotspot (to simulate a connection over the WAN) and try to VPN in, I get errors. (See in log below.)

Now, I've followed 3 different guides 100% and I'm wondering if there isn't an issue with my ISP blocking something I'm trying to do. I'm a small part of a state government organization and I think it's possible that something upstream from me is maybe denying these connections. I also didn't expect to be able to connect to the VPN while connected to the LAN. (I'm used to SonicWall's NetExtender and SSL VPN and it will refuse the connection when trying to do that.)

Anyways, I'm stuck and could use some help or ideas. In the log output below, I failed to connect when trying over my phone's hotspot (as mentioned above) but when I reconnected to the LAN, you can see that it successfully connected.

Any suggestions are much appreciated.

Fri Feb 01 12:58:16 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
Fri Feb 01 12:58:16 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
Fri Feb 01 12:58:16 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Feb 01 12:58:16 2019 Need hold release from management interface, waiting...
Fri Feb 01 12:58:17 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Feb 01 12:58:17 2019 MANAGEMENT: CMD 'state on'
Fri Feb 01 12:58:17 2019 MANAGEMENT: CMD 'log all on'
Fri Feb 01 12:58:17 2019 MANAGEMENT: CMD 'hold off'
Fri Feb 01 12:58:17 2019 MANAGEMENT: CMD 'hold release'
Fri Feb 01 12:58:23 2019 MANAGEMENT: CMD 'username "Auth" "[removed]"'
Fri Feb 01 12:58:23 2019 MANAGEMENT: CMD 'password [...]'
Fri Feb 01 12:58:23 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Feb 01 12:58:23 2019 Attempting to establish TCP connection with [AF_INET]X.X.46.2:8443 [nonblock]
Fri Feb 01 12:58:23 2019 MANAGEMENT: >STATE:1549047503,TCP_CONNECT,,,,,,
Fri Feb 01 12:58:33 2019 TCP: connect to [AF_INET]X.X.46.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Fri Feb 01 12:58:33 2019 SIGUSR1[soft,init_instance] received, process restarting
Fri Feb 01 12:58:33 2019 MANAGEMENT: >STATE:1549047513,RECONNECTING,init_instance,,,,,
Fri Feb 01 12:58:33 2019 Restart pause, 5 second(s)
Fri Feb 01 12:58:38 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Feb 01 12:58:38 2019 Attempting to establish TCP connection with [AF_INET]X.X.161.1:8443 [nonblock]
Fri Feb 01 12:58:38 2019 MANAGEMENT: >STATE:1549047518,TCP_CONNECT,,,,,,
Fri Feb 01 12:58:48 2019 TCP: connect to [AF_INET]X.X.161.1:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Fri Feb 01 12:58:48 2019 SIGUSR1[soft,init_instance] received, process restarting
Fri Feb 01 12:58:48 2019 MANAGEMENT: >STATE:1549047528,RECONNECTING,init_instance,,,,,
Fri Feb 01 12:58:48 2019 Restart pause, 5 second(s)
Fri Feb 01 12:58:53 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Feb 01 12:58:53 2019 Attempting to establish TCP connection with [AF_INET]X.X.161.161:8443 [nonblock]
Fri Feb 01 12:58:53 2019 MANAGEMENT: >STATE:1549047533,TCP_CONNECT,,,,,,
Fri Feb 01 12:59:03 2019 TCP: connect to [AF_INET]X.X.161.161:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Fri Feb 01 12:59:03 2019 SIGUSR1[soft,init_instance] received, process restarting
Fri Feb 01 12:59:03 2019 MANAGEMENT: >STATE:1549047543,RECONNECTING,init_instance,,,,,
Fri Feb 01 12:59:03 2019 Restart pause, 5 second(s)
Fri Feb 01 12:59:08 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Feb 01 12:59:08 2019 Attempting to establish TCP connection with [AF_INET]X.X.46.2:8443 [nonblock]
Fri Feb 01 12:59:08 2019 MANAGEMENT: >STATE:1549047548,TCP_CONNECT,,,,,,
Fri Feb 01 12:59:09 2019 TCP connection established with [AF_INET]X.X.46.2:8443
Fri Feb 01 12:59:09 2019 TCPv4_CLIENT link local: [undef]
Fri Feb 01 12:59:09 2019 TCPv4_CLIENT link remote: [AF_INET]X.X.46.2:8443
Fri Feb 01 12:59:09 2019 MANAGEMENT: >STATE:1549047549,WAIT,,,,,,
Fri Feb 01 12:59:09 2019 MANAGEMENT: >STATE:1549047549,AUTH,,,,,,
Fri Feb 01 12:59:09 2019 TLS: Initial packet from [AF_INET]X.X.46.2:8443, sid=96d2a000 e2b0817b
Fri Feb 01 12:59:09 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 01 12:59:09 2019 VERIFY OK: depth=1, C=US, [removed]
Fri Feb 01 12:59:09 2019 VERIFY X509NAME OK: C=US, [removed]
Fri Feb 01 12:59:09 2019 VERIFY OK: depth=0, C=US, [removed]
Fri Feb 01 12:59:10 2019 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Feb 01 12:59:10 2019 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 01 12:59:10 2019 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Feb 01 12:59:10 2019 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 01 12:59:10 2019 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Feb 01 12:59:10 2019 [SophosApplianceCertificate_C01001W2G7MXC71] Peer Connection Initiated with [AF_INET]X.X.46.2:8443
Fri Feb 01 12:59:11 2019 MANAGEMENT: >STATE:1549047551,GET_CONFIG,,,,,,
Fri Feb 01 12:59:12 2019 SENT CONTROL [SophosApplianceCertificate_C01001W2G7MXC71]: 'PUSH_REQUEST' (status=1)
Fri Feb 01 12:59:12 2019 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.1.1.100,ping 45,ping-restart 180,route X.X.161.160 255.255.255.224,route X.X.0.0 255.255.0.0,route X.X.161.0 255.255.255.128,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 900 7680,dhcp-option DNS X.X.161.5,dhcp-option DNS X.X.161.163,dhcp-option DOMAIN [domain removed],ifconfig 10.1.1.101 255.255.255.0'
Fri Feb 01 12:59:12 2019 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 01 12:59:12 2019 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 01 12:59:12 2019 OPTIONS IMPORT: route options modified
Fri Feb 01 12:59:12 2019 OPTIONS IMPORT: route-related options modified
Fri Feb 01 12:59:12 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Feb 01 12:59:12 2019 ROUTE_GATEWAY X.X.161.1/255.255.255.128 I=5 HWADDR=10:65:30:bf:2f:4e
Fri Feb 01 12:59:12 2019 open_tun, tt->ipv6=0
Fri Feb 01 12:59:12 2019 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{ED0CF19C-CC2E-4731-B9E3-72F29FD4A196}.tap
Fri Feb 01 12:59:12 2019 TAP-Windows Driver Version 9.21
Fri Feb 01 12:59:12 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 10.1.1.0/10.1.1.101/255.255.255.0 [SUCCEEDED]
Fri Feb 01 12:59:12 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.1.1.101/255.255.255.0 on interface {ED0CF19C-CC2E-4731-B9E3-72F29FD4A196} [DHCP-serv: 10.1.1.254, lease-time: 31536000]
Fri Feb 01 12:59:12 2019 Successful ARP Flush on interface [42] {ED0CF19C-CC2E-4731-B9E3-72F29FD4A196}
Fri Feb 01 12:59:12 2019 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Feb 01 12:59:12 2019 MANAGEMENT: >STATE:1549047552,ASSIGN_IP,,10.1.1.101,,,,
Fri Feb 01 12:59:16 2019 TEST ROUTES: 5/5 succeeded len=5 ret=1 a=0 u/d=up
Fri Feb 01 12:59:16 2019 MANAGEMENT: >STATE:1549047556,ADD_ROUTES,,,,,,
Fri Feb 01 12:59:16 2019 C:\WINDOWS\system32\route.exe ADD X.X.46.2 MASK 255.255.255.255 X.X.161.1
Fri Feb 01 12:59:16 2019 Route addition via service succeeded
Fri Feb 01 12:59:16 2019 C:\WINDOWS\system32\route.exe ADD X.X.161.160 MASK 255.255.255.224 10.1.1.100
Fri Feb 01 12:59:16 2019 Route addition via service succeeded
Fri Feb 01 12:59:16 2019 C:\WINDOWS\system32\route.exe ADD X.X.0.0 MASK 255.255.0.0 10.1.1.100
Fri Feb 01 12:59:16 2019 Route addition via service succeeded
Fri Feb 01 12:59:16 2019 C:\WINDOWS\system32\route.exe ADD X.X.161.0 MASK 255.255.255.128 10.1.1.100
Fri Feb 01 12:59:16 2019 Route addition via service succeeded
Fri Feb 01 12:59:16 2019 C:\WINDOWS\system32\route.exe ADD X.X.46.2 MASK 255.255.255.255 X.X.161.1
Fri Feb 01 12:59:16 2019 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=5]
Fri Feb 01 12:59:16 2019 Route addition via service failed
Fri Feb 01 12:59:16 2019 Initialization Sequence Completed
Fri Feb 01 12:59:16 2019 MANAGEMENT: >STATE:1549047556,CONNECTED,SUCCESS,10.1.1.101,X.X.46.2,8443,X.X.161.57,59081

This thread was automatically locked due to age.

Parents

0 ryanjd93 over 6 years ago

I just got off the phone with support from my ISP. They claim no packets have been discarded in the last 43 days and confirmed they don't have any traffic or firewall rules in place that would be blocking this.

I'm out of ideas...
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to ryanjd93

You should start to Dump on XG WAN Interface.

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

And maybe use Wireshark to dump on the client.
Cancel
Vote Up 0 Vote Down

Cancel
0 ryanjd93 over 6 years ago in reply to LuCar Toni

LuCar Toni said:

You should start to Dump on XG WAN Interface.

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

And maybe use Wireshark to dump on the client.

Thanks for your reply.

I can't get in to the CLI over SSH currently. I don't have access to the admin account that appears to be required for it. I'll have look into resetting that password.

In the mean time, I did the same test again (trying to access over my phone's hotspot, waiting, then re-enabling my wired LAN connection) and packet capture saw nothing on port 8443 until I enabled the LAN and the connection was successful. There were no packets when trying it from the WAN side.

That sounds like a firewall issue. But I don't know. I configured rules for VPN->LAN and LAN->VPN and moved them to the top...
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ryanjd93 over 6 years ago in reply to LuCar Toni

LuCar Toni said:

You should start to Dump on XG WAN Interface.

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

And maybe use Wireshark to dump on the client.

Thanks for your reply.

I can't get in to the CLI over SSH currently. I don't have access to the admin account that appears to be required for it. I'll have look into resetting that password.

In the mean time, I did the same test again (trying to access over my phone's hotspot, waiting, then re-enabling my wired LAN connection) and packet capture saw nothing on port 8443 until I enabled the LAN and the connection was successful. There were no packets when trying it from the WAN side.

That sounds like a firewall issue. But I don't know. I configured rules for VPN->LAN and LAN->VPN and moved them to the top...
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data