Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2695 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot connect over SSL VPN when remote (not connected to local WLAN); cannot connect to admin portal (https://xxxxx:4444) from remote

Shteki

Hello,

We received a new XG 135w in the office and are now trying to make the SSL VPN function. I tried it localy (I'm connected to the WLAN from the office, on which the FW is also connected) and it works (I can login). But when I try to do it outside of the office (from home), it won't work.

Here is the log file (192.168.10.8 is the WAN/port on the router:

Wed Jul 29 15:21:11 2020 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
Wed Jul 29 15:21:11 2020 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
Enter Management Password:
Wed Jul 29 15:21:11 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jul 29 15:21:11 2020 Need hold release from management interface, waiting...
Wed Jul 29 15:21:12 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jul 29 15:21:12 2020 MANAGEMENT: CMD 'state on'
Wed Jul 29 15:21:12 2020 MANAGEMENT: CMD 'log all on'
Wed Jul 29 15:21:12 2020 MANAGEMENT: CMD 'hold off'
Wed Jul 29 15:21:12 2020 MANAGEMENT: CMD 'hold release'
Wed Jul 29 15:21:23 2020 MANAGEMENT: CMD 'username "Auth" "xxxxx"'
Wed Jul 29 15:21:23 2020 MANAGEMENT: CMD 'password [...]'
Wed Jul 29 15:21:23 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jul 29 15:21:23 2020 Attempting to establish TCP connection with [AF_INET]192.168.10.8:8443 [nonblock]
Wed Jul 29 15:21:23 2020 MANAGEMENT: >STATE:1596028883,TCP_CONNECT,,,,,,
Wed Jul 29 15:21:24 2020 TCP connection established with [AF_INET]192.168.10.8:8443
Wed Jul 29 15:21:24 2020 TCPv4_CLIENT link local: [undef]
Wed Jul 29 15:21:24 2020 TCPv4_CLIENT link remote: [AF_INET]192.168.10.8:8443
Wed Jul 29 15:21:24 2020 MANAGEMENT: >STATE:1596028884,WAIT,,,,,,
Wed Jul 29 15:21:24 2020 Connection reset, restarting [-1]
Wed Jul 29 15:21:24 2020 SIGUSR1[soft,connection-reset] received, process restarting
Wed Jul 29 15:21:24 2020 MANAGEMENT: >STATE:1596028884,RECONNECTING,connection-reset,,,,,
Wed Jul 29 15:21:24 2020 Restart pause, 5 second(s)
Wed Jul 29 15:21:29 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jul 29 15:21:29 2020 Attempting to establish TCP connection with [AF_INET]192.168.10.8:8443 [nonblock]
Wed Jul 29 15:21:29 2020 MANAGEMENT: >STATE:1596028889,TCP_CONNECT,,,,,,
Wed Jul 29 15:21:30 2020 TCP connection established with [AF_INET]192.168.10.8:8443
Wed Jul 29 15:21:30 2020 TCPv4_CLIENT link local: [undef]
Wed Jul 29 15:21:30 2020 TCPv4_CLIENT link remote: [AF_INET]192.168.10.8:8443
Wed Jul 29 15:21:30 2020 MANAGEMENT: >STATE:1596028890,WAIT,,,,,,
Wed Jul 29 15:21:30 2020 Connection reset, restarting [-1]
Wed Jul 29 15:21:30 2020 SIGUSR1[soft,connection-reset] received, process restarting
Wed Jul 29 15:21:30 2020 MANAGEMENT: >STATE:1596028890,RECONNECTING,connection-reset,,,,,
Wed Jul 29 15:21:30 2020 Restart pause, 5 second(s)
Wed Jul 29 15:21:32 2020 SIGTERM[hard,init_instance] received, process exiting
Wed Jul 29 15:21:32 2020 MANAGEMENT: >STATE:1596028892,EXITING,init_instance,,,,,

 

Also, I cannot access the admin portal over the DDNS, when remote. I can access the user portal via https://xxxx.myfirewall.co but  https://xxxx.myfirewall.co:4444 doesn't work. When local (inside the WLAN), it works fine.

The ports 443 and 4444 are forwarded on the router (Speedport Plus).

The firewall rules are LAN_2_WAN - all, VPN_2_LAN -all, LAN_2_VPN - all. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Will you try by setting up the public IP of ISP modem or router in the override hostname. The NAT device ( ISP router or modem) has to be configured to forward the SSL VPN connection or service port to the XG Firewall. (Default is 8443 if not changed).

    If this works then later on you may try by settings up DDNS in the override hostname.

    Override Hostname : This sets the SSL VPN client configuration file to use this public IP/hostname when establishing the connection.

    docs.sophos.com/.../VPNSettings.html

  • 0 in reply to Vishal_R

    Hello Vishal_R,

    this is the current configuration of SSL VPN.

     

     

    The IP is the static one from the FW, that it becomes from the ISP router. Should I leave the Override Hostname empty then?

     

    Here are some more setting of the FW. I've also forwarded the 8443 port on the ISP router.

     

     

    These are the ISP router port forwarding settings:

Reply
  • 0 in reply to Vishal_R

    Hello Vishal_R,

    this is the current configuration of SSL VPN.

     

     

    The IP is the static one from the FW, that it becomes from the ISP router. Should I leave the Override Hostname empty then?

     

    Here are some more setting of the FW. I've also forwarded the 8443 port on the ISP router.

     

     

    These are the ISP router port forwarding settings:

Children
  • 0 in reply to Shteki

    Hi  

    I checked you are using DynDNS, you may put that DynDNS as well in the hostname and confirm the status ( If this not helpful then set Override Hostname empty and confirm).

  • 0 in reply to Vishal_R

    Hi Vishal_R,

     

    thank you, it's working now!

    Can you also  help me with the problem, why I cannot connect to the admin portal https://xyz.myfirewall.co:4444 from remote, but only to the normal user portal https://xyz.myfirewall.co? You can see that both ports are being forwarded through the ISP router.

    Thank you

  • 0 in reply to Shteki

    Hi  

    Configuration seems fine for https://xyz.myfirewall.co:4444 as HTTPS for WAN zone is set to on under admin services.

    Please perform below test and collect output to conclude it further:

    1) Access https://xyz.myfirewall.co:4444 from outside machine and note down the machine public IP X.X.X.X

    2) During access the same from outside, collect tcpdump and drop packet on end machine public IP over XG console option 4.

    console> tcpdump 'host X.X.X.X

    console> drop 'host X.X.X.X

    Please check are you getting any drop. Also share both the result here.

  • 0 in reply to Vishal_R

    Hi Vishal_R,

    The IP Address of my phone (over 4G) was 10.114.240.XXX. I then opened the console on the 135w and entered the code under and simoultaneously tried the https://xyz.myfirewall.co:4444 in Google Chrome on the phone. I received the following code from the console for both commands.

    tcpdump 'host 10.114.240.xxx                                           
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 byt
    es                                                                              

    drop 'host 10.114.240.xxx         - no results here       
  • 0 in reply to Shteki

    Hi  

    The above indicates packets not reached to XG from your upstream WAN or from ISP cloud.

    Now from the same Mobile access user portal which is working from outside and confirm tcpdump on XG, you should get the tcpdump.

  • 0 in reply to Vishal_R

    Hi Vishal_R,

    I tried it with the user portla, which is working, but I'm receiving the same output for both the commands... Am I doing somethign wrong?

  • 0 in reply to Shteki

    Hi  

    Please try to confirm TCPDUMP on admin portal port 4444 and user portal port 443. Save this output in notepad with auto save settings in putty- so if more packets are coming / more request are coming, you may review your end machine public IP request later on by opening it in notepad or via notepad++.

    console> tcpdump 'port 4444

    console>drop 'port 4444

  • 0 in reply to Vishal_R

    Hi Vishal_R,

    here are two screenshots from a part of the listing of the commands:

    For tcpdump 'port 443

     

    for tcpdump 'port 4444

     

    drop 'port 4444 and 443 were empty, no feedback.

  • 0 in reply to Vishal_R

    Hi Vishal_R,

     

    after a couple of days of the system working, I went to our remote branch and tried to connect myself to the server, but it won't again.

    Here is the part from the log. I haven't changed anything. What could be he problem now?

     

    Mon Aug 03 08:41:00 2020 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Mon Aug 03 08:41:00 2020 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Enter Management Password:
    Mon Aug 03 08:41:00 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
    Mon Aug 03 08:41:00 2020 Need hold release from management interface, waiting...
    Mon Aug 03 08:41:00 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
    Mon Aug 03 08:41:00 2020 MANAGEMENT: CMD 'state on'
    Mon Aug 03 08:41:00 2020 MANAGEMENT: CMD 'log all on'
    Mon Aug 03 08:41:00 2020 MANAGEMENT: CMD 'hold off'
    Mon Aug 03 08:41:00 2020 MANAGEMENT: CMD 'hold release'
    Mon Aug 03 08:41:17 2020 MANAGEMENT: CMD 'username "Auth" "xxxxx"'
    Mon Aug 03 08:41:17 2020 MANAGEMENT: CMD 'password [...]'
    Mon Aug 03 08:41:17 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Mon Aug 03 08:41:17 2020 Attempting to establish TCP connection with [AF_INET]192.168.10.8:8443 [nonblock]
    Mon Aug 03 08:41:17 2020 MANAGEMENT: >STATE:1596436877,TCP_CONNECT,,,,,,
    Mon Aug 03 08:41:27 2020 TCP: connect to [AF_INET]192.168.10.8:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Mon Aug 03 08:41:32 2020 MANAGEMENT: >STATE:1596436892,TCP_CONNECT,,,,,,
    Mon Aug 03 08:41:34 2020 SIGTERM[hard,init_instance] received, process exiting
    Mon Aug 03 08:41:34 2020 MANAGEMENT: >STATE:1596436894,EXITING,init_instance,,,,,

  • 0 in reply to Shteki

    Hi  

    Have you re downloaded the config file after last changes to have latest settings or conf file settings while trying to connect SSL VPN? 

    I can see the connection request is still coming on IP 192.168.10.8:8443 which you have set previously in your Override hostname settings of SSL VPN.

    if you have already tried with re downloading config file and issue still there then would suggest you to raise a support case to have further investigation.