Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 27 subscribers
  • Views 2705 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLVPN through XG to UTM

JeffreyJaspers

Hi guys,

 

So like most of you I work from home since march. At home I use the XG firewall (virtualised on Hyper-V and using the home license). This works very well. I chose not to make any changes since I need the connection to be stable. Currently I'm running on firmware version SFOS 18.0.0 EAP3-Refresh1 and all functions well for me. 

In our office environment we use the Sophos UTM 9.x.x, this device is also running fine. Every day I use the Sophos SSLVPN client from my client laptop to connect to the office (through the XG firewall). This works fine, no problems at all.

So with some of the security issues with the XG firmware, I tought I could no longer wait and so I started to upgrade to the latest version avaialable for the XG. Everything seems to be working, but my SSLVPN connection to the office could no longer be setup. So I rolled back to EAP-Refresh1. I tried all the firmware versions one-by-one comming after EAP-Refresh1, but for me it all results in not being albe to connect the SSLVPN through the XG firewall to my office anymore.

Can anyone help me with this, as I cannot find why this is happening. The logviewer shows the traffic is ALLOWED but sill I can't connect. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    As per my understanding you are trying to connect SSL VPN is SSL VPN Client >> Sophos XG firewall >> ISP >> Sophos UTM, did you check the logs in UTM? did you check the dropped packet in the XG firewall for SSL VPN port?

    If you create a plain firewall rule for your IP in the Sophos XG firewall, without any scanning or restrictions, what are you observation?

  • 0 in reply to Keyur

    Hi Keyur,

     

    Keyur said:

    As per my understanding you are trying to connect SSL VPN is SSL VPN Client >> Sophos XG firewall >> ISP >> Sophos UTM, did you check the logs in UTM?

    This is correct. I don't manage the UTM from the office environment but this device does not seem to matter. If I create this rule you talk about, the traffic flow through it and I see it being allowed from the logviewer. But the SSLVPN is not connecting. SO my toughts were that maybe somewhere in the traffic flowing back, someting is missing or being dropped or anything.

    Kind regards,

    Jeffrey

  • 0 in reply to JeffreyJaspers

    Hi  

    Well, we need to check with both the firewall to collect logs, could you please share SSL VPN connection logs? In the XG firewall if the firewall rule created as suggested in a previous response, the XG firewall will not block any traffic generated from your computer.

    Did you check by bypassing the XG firewall?

    Please use packet capture - https://community.sophos.com/kb/en-us/123189

    For Drop packet capture - https://community.sophos.com/kb/en-us/127111

    Please verify the logs on Sophos UTM as well.

  • 0 in reply to Keyur

    Hi Keyur,

    Im currently in business hours so I still need the VPN to be in use. I'll try to collect the logs later today. By bypassing the XG everything works like a charm. And with the XG firmware 18 EAP-Refresh1 it also works, but any firmware after this, it doesnt work anymore.

    Kind regards,

    Jeffrey

  • 0 in reply to JeffreyJaspers

    Hi  

    Thank you for sharing details, I would request you to check once you complete your office hours and let us inform the outcome. We will be glad to assist you further.

  • 0 in reply to Keyur

    Hi Keyur,

    I did a quick test.
    - I upgraded the firmware to SFOS 18.0.0 GA-Build379.HF050520.1
    - Created the rule and placed it on top


    - tried to make the SSLVPN connection (did not work)
    - Logviewer showed nothing on the specific rule
    - SSLVPN log showed below output (also the SSLVPN does not go into error it just keeps repeating)

    Mon May 25 14:32:34 2020 TCP connection established with [AF_INET]1.2.3.4:443
    Mon May 25 14:32:34 2020 TCPv4_CLIENT link local: [undef]
    Mon May 25 14:32:34 2020 TCPv4_CLIENT link remote: [AF_INET]1.2.3.4:443
    Mon May 25 14:32:34 2020 MANAGEMENT: >STATE:1590409954,WAIT,,,,,,
    Mon May 25 14:32:34 2020 Connection reset, restarting [-1]
    Mon May 25 14:32:34 2020 SIGUSR1[soft,connection-reset] received, process restarting
    Mon May 25 14:32:34 2020 MANAGEMENT: >STATE:1590409954,RECONNECTING,connection-reset,,,,,
    Mon May 25 14:32:34 2020 Restart pause, 5 second(s)
    Mon May 25 14:32:39 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Mon May 25 14:32:39 2020 MANAGEMENT: >STATE:1590409959,RESOLVE,,,,,,
    Mon May 25 14:32:39 2020 Attempting to establish TCP connection with [AF_INET]1.2.3.4:443 [nonblock]
    Mon May 25 14:32:39 2020 MANAGEMENT: >STATE:1590409959,TCP_CONNECT,,,,,,
    Mon May 25 14:32:40 2020 TCP connection established with [AF_INET]1.2.3.4:443
    Mon May 25 14:32:40 2020 TCPv4_CLIENT link local: [undef]
    Mon May 25 14:32:40 2020 TCPv4_CLIENT link remote: [AF_INET]1.2.3.4:443
    Mon May 25 14:32:40 2020 MANAGEMENT: >STATE:1590409960,WAIT,,,,,,
    Mon May 25 14:32:40 2020 Connection reset, restarting [-1]
    Mon May 25 14:32:40 2020 SIGUSR1[soft,connection-reset] received, process restarting
    Mon May 25 14:32:40 2020 MANAGEMENT: >STATE:1590409960,RECONNECTING,connection-reset,,,,,
    Mon May 25 14:32:40 2020 Restart pause, 5 second(s)
    Mon May 25 14:32:45 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Mon May 25 14:32:45 2020 MANAGEMENT: >STATE:1590409965,RESOLVE,,,,,,
    Mon May 25 14:32:45 2020 Attempting to establish TCP connection with [AF_INET]1.2.3.4:443 [nonblock]
    Mon May 25 14:32:45 2020 MANAGEMENT: >STATE:1590409965,TCP_CONNECT,,,,,,
    Mon May 25 14:32:46 2020 TCP connection established with [AF_INET]1.2.3.4:443
    Mon May 25 14:32:46 2020 TCPv4_CLIENT link local: [undef]
    Mon May 25 14:32:46 2020 TCPv4_CLIENT link remote: [AF_INET]1.2.3.4:443
    Mon May 25 14:32:46 2020 MANAGEMENT: >STATE:1590409966,WAIT,,,,,,
    Mon May 25 14:32:46 2020 Connection reset, restarting [-1]
    Mon May 25 14:32:46 2020 SIGUSR1[soft,connection-reset] received, process restarting
    Mon May 25 14:32:46 2020 MANAGEMENT: >STATE:1590409966,RECONNECTING,connection-reset,,,,,
    Mon May 25 14:32:46 2020 Restart pause, 5 second(s)
    Mon May 25 14:32:51 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Mon May 25 14:32:51 2020 MANAGEMENT: >STATE:1590409971,RESOLVE,,,,,,
    Mon May 25 14:32:51 2020 Attempting to establish TCP connection with [AF_INET]1.2.3.4:443 [nonblock]
    Mon May 25 14:32:51 2020 MANAGEMENT: >STATE:1590409971,TCP_CONNECT,,,,,,
    Mon May 25 14:32:52 2020 TCP connection established with [AF_INET]1.2.3.4:443
    Mon May 25 14:32:52 2020 TCPv4_CLIENT link local: [undef]
    Mon May 25 14:32:52 2020 TCPv4_CLIENT link remote: [AF_INET]1.2.3.4:443
    Mon May 25 14:32:52 2020 MANAGEMENT: >STATE:1590409972,WAIT,,,,,,

     

    Kind regards,

    Jeffrey

  • 0 in reply to JeffreyJaspers

     were you able to investigate why it is failing?

    Kind regards,

    Jeffrey

  • 0 in reply to JeffreyJaspers

    Just to be sure, you replaced your WAN IP in your Log with 1.2.3.4 - correct? 

    Do you have a DPI Inspection rule in Place? 

  • 0 in reply to LuCar Toni

    Yes that is correct. 1.2.3.4 is not the original IP, just put it there for security reasons

  • 0 in reply to JeffreyJaspers

    Hi  

    Do you have enabled DPI inspection in the firewall rule from where the traffic for SSL VPN passing? We have checked but there is no such issue has been reported. Are you able to collect logs from UTM when you try to connect an SSL VPN?

  • 0 in reply to Keyur

    Keyur Like I said, I do not manage the UTM device. But also from the XG perspective I don't see any traffic going to the company UTM IP (eith the latest firmware installed). I do see this traffic in the XG logs with the old fimware installed. This behaviour tells me that the traffic cannot leave the XG.

Reply
  • 0 in reply to Keyur

    Keyur Like I said, I do not manage the UTM device. But also from the XG perspective I don't see any traffic going to the company UTM IP (eith the latest firmware installed). I do see this traffic in the XG logs with the old fimware installed. This behaviour tells me that the traffic cannot leave the XG.

Children
No Data