Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2695 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot connect over SSL VPN when remote (not connected to local WLAN); cannot connect to admin portal (https://xxxxx:4444) from remote

Shteki

Hello,

We received a new XG 135w in the office and are now trying to make the SSL VPN function. I tried it localy (I'm connected to the WLAN from the office, on which the FW is also connected) and it works (I can login). But when I try to do it outside of the office (from home), it won't work.

Here is the log file (192.168.10.8 is the WAN/port on the router:

Wed Jul 29 15:21:11 2020 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
Wed Jul 29 15:21:11 2020 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
Enter Management Password:
Wed Jul 29 15:21:11 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jul 29 15:21:11 2020 Need hold release from management interface, waiting...
Wed Jul 29 15:21:12 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jul 29 15:21:12 2020 MANAGEMENT: CMD 'state on'
Wed Jul 29 15:21:12 2020 MANAGEMENT: CMD 'log all on'
Wed Jul 29 15:21:12 2020 MANAGEMENT: CMD 'hold off'
Wed Jul 29 15:21:12 2020 MANAGEMENT: CMD 'hold release'
Wed Jul 29 15:21:23 2020 MANAGEMENT: CMD 'username "Auth" "xxxxx"'
Wed Jul 29 15:21:23 2020 MANAGEMENT: CMD 'password [...]'
Wed Jul 29 15:21:23 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jul 29 15:21:23 2020 Attempting to establish TCP connection with [AF_INET]192.168.10.8:8443 [nonblock]
Wed Jul 29 15:21:23 2020 MANAGEMENT: >STATE:1596028883,TCP_CONNECT,,,,,,
Wed Jul 29 15:21:24 2020 TCP connection established with [AF_INET]192.168.10.8:8443
Wed Jul 29 15:21:24 2020 TCPv4_CLIENT link local: [undef]
Wed Jul 29 15:21:24 2020 TCPv4_CLIENT link remote: [AF_INET]192.168.10.8:8443
Wed Jul 29 15:21:24 2020 MANAGEMENT: >STATE:1596028884,WAIT,,,,,,
Wed Jul 29 15:21:24 2020 Connection reset, restarting [-1]
Wed Jul 29 15:21:24 2020 SIGUSR1[soft,connection-reset] received, process restarting
Wed Jul 29 15:21:24 2020 MANAGEMENT: >STATE:1596028884,RECONNECTING,connection-reset,,,,,
Wed Jul 29 15:21:24 2020 Restart pause, 5 second(s)
Wed Jul 29 15:21:29 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jul 29 15:21:29 2020 Attempting to establish TCP connection with [AF_INET]192.168.10.8:8443 [nonblock]
Wed Jul 29 15:21:29 2020 MANAGEMENT: >STATE:1596028889,TCP_CONNECT,,,,,,
Wed Jul 29 15:21:30 2020 TCP connection established with [AF_INET]192.168.10.8:8443
Wed Jul 29 15:21:30 2020 TCPv4_CLIENT link local: [undef]
Wed Jul 29 15:21:30 2020 TCPv4_CLIENT link remote: [AF_INET]192.168.10.8:8443
Wed Jul 29 15:21:30 2020 MANAGEMENT: >STATE:1596028890,WAIT,,,,,,
Wed Jul 29 15:21:30 2020 Connection reset, restarting [-1]
Wed Jul 29 15:21:30 2020 SIGUSR1[soft,connection-reset] received, process restarting
Wed Jul 29 15:21:30 2020 MANAGEMENT: >STATE:1596028890,RECONNECTING,connection-reset,,,,,
Wed Jul 29 15:21:30 2020 Restart pause, 5 second(s)
Wed Jul 29 15:21:32 2020 SIGTERM[hard,init_instance] received, process exiting
Wed Jul 29 15:21:32 2020 MANAGEMENT: >STATE:1596028892,EXITING,init_instance,,,,,

 

Also, I cannot access the admin portal over the DDNS, when remote. I can access the user portal via https://xxxx.myfirewall.co but  https://xxxx.myfirewall.co:4444 doesn't work. When local (inside the WLAN), it works fine.

The ports 443 and 4444 are forwarded on the router (Speedport Plus).

The firewall rules are LAN_2_WAN - all, VPN_2_LAN -all, LAN_2_VPN - all. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Will you try by setting up the public IP of ISP modem or router in the override hostname. The NAT device ( ISP router or modem) has to be configured to forward the SSL VPN connection or service port to the XG Firewall. (Default is 8443 if not changed).

    If this works then later on you may try by settings up DDNS in the override hostname.

    Override Hostname : This sets the SSL VPN client configuration file to use this public IP/hostname when establishing the connection.

    docs.sophos.com/.../VPNSettings.html

  • 0 in reply to Vishal_R

    Hello Vishal_R,

    this is the current configuration of SSL VPN.

     

     

    The IP is the static one from the FW, that it becomes from the ISP router. Should I leave the Override Hostname empty then?

     

    Here are some more setting of the FW. I've also forwarded the 8443 port on the ISP router.

     

     

    These are the ISP router port forwarding settings:

  • 0 in reply to Shteki

    Hi  

    I checked you are using DynDNS, you may put that DynDNS as well in the hostname and confirm the status ( If this not helpful then set Override Hostname empty and confirm).

  • 0 in reply to Vishal_R

    Hi Vishal_R,

     

    thank you, it's working now!

    Can you also  help me with the problem, why I cannot connect to the admin portal https://xyz.myfirewall.co:4444 from remote, but only to the normal user portal https://xyz.myfirewall.co? You can see that both ports are being forwarded through the ISP router.

    Thank you

  • 0 in reply to Shteki

    Hi  

    Configuration seems fine for https://xyz.myfirewall.co:4444 as HTTPS for WAN zone is set to on under admin services.

    Please perform below test and collect output to conclude it further:

    1) Access https://xyz.myfirewall.co:4444 from outside machine and note down the machine public IP X.X.X.X

    2) During access the same from outside, collect tcpdump and drop packet on end machine public IP over XG console option 4.

    console> tcpdump 'host X.X.X.X

    console> drop 'host X.X.X.X

    Please check are you getting any drop. Also share both the result here.

  • 0 in reply to Vishal_R

    Hi Vishal_R,

    The IP Address of my phone (over 4G) was 10.114.240.XXX. I then opened the console on the 135w and entered the code under and simoultaneously tried the https://xyz.myfirewall.co:4444 in Google Chrome on the phone. I received the following code from the console for both commands.

    tcpdump 'host 10.114.240.xxx                                           
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 byt
    es                                                                              

    drop 'host 10.114.240.xxx         - no results here       
  • 0 in reply to Shteki

    Hi  

    The above indicates packets not reached to XG from your upstream WAN or from ISP cloud.

    Now from the same Mobile access user portal which is working from outside and confirm tcpdump on XG, you should get the tcpdump.

  • 0 in reply to Vishal_R

    Hi Vishal_R,

    I tried it with the user portla, which is working, but I'm receiving the same output for both the commands... Am I doing somethign wrong?

  • 0 in reply to Shteki

    Hi  

    Please try to confirm TCPDUMP on admin portal port 4444 and user portal port 443. Save this output in notepad with auto save settings in putty- so if more packets are coming / more request are coming, you may review your end machine public IP request later on by opening it in notepad or via notepad++.

    console> tcpdump 'port 4444

    console>drop 'port 4444

Reply
  • 0 in reply to Shteki

    Hi  

    Please try to confirm TCPDUMP on admin portal port 4444 and user portal port 443. Save this output in notepad with auto save settings in putty- so if more packets are coming / more request are coming, you may review your end machine public IP request later on by opening it in notepad or via notepad++.

    console> tcpdump 'port 4444

    console>drop 'port 4444

Children