Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 1096 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG (server) to UTM (client) SSL VPN (site-to-site) not establishing, LOCAL_ACL violation

Toni Boni

Hello, I am new to the forum.

When trying to connect a Sophos XG and UTM via SSL VPN site-to-site the connection does not establish.

My plan is to connect a Sophos XG (running as a SSL VPN site to site server, Software version SFOS 18.0.4 MR-4) to an UTM (client, Software version 9.705-3).

In the log viewer and packet capture I can see, that the connection attempt is a Local_ACL violation and Message ID in log is 02002 (Local ACL traffic denied).

In the device access settings SSL VPN should be accessable via WAN interface. The appropiate firewall rules are set, but I thought the XG would manage their services without rules regarding the establishing of VPN connections.

I have no clue how to proceed from this point. Attempts to setup an IPsec connection have failed, too.

Thanks in advance

Toni



Edited TAGs
[edited by: emmosophos at 6:59 PM (GMT -7) on 7 Jun 2021]
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Can you show us the screenshot of the packet capture? 

    Do you have the public IP address on the firewall's WAN interface? 

    For IPsec VPN, can you provide the strongswan logs in debugging from the XG firewall?

    Thanks,

  • 0 in reply to FormerMember

    Hello H_Patel,

    here is the screenshot from the Open PCAP, with sanatized Public WAN IP addresses:

    Here is the packet information (sanatized):

    Ethernet header
    Source MAC address:00:17:10:9a:9f:8c
    Destination MAC address: 00:01:2e:a0:79:9d
    Ethernet type IPv4 (0x800)
     
    IPv4 Header
    Source IP address: SOURCE (UTM) PUBLIC WAN
    Destination IP address:DESTINATION (XG) PUBLIC WAN
    Protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 60 Bytes
    Identification:12237
    Fragment offset:16384
    Time to live: 59
    Checksum: 43532
     
    TCP Header:
    Source port: 55378
    Destination port: 5559
    Flags: SYN
    Sequence number: 2417318600
    Acknowledgement number: 0
    Window: 29200
    Checksum: 52122

  • FormerMember
    0 FormerMember in reply to Toni Boni

    Hi ,

    Thank you for the update. 

    Can you check if the sslvpn service is running on your firewall? 

    You can run the following command from the Advanced Shell: service -S | grep SSL

    Sample output: 

    SFVUNL_SO01_SFOS 18.0.4 MR-4# service -S | grep ssl
    sslvpn RUNNING
    SFVUNL_SO01_SFOS 18.0.4 MR-4#

    If the service is running, try to replicate the issue and provide the sslvpn logs.

    Thanks,

  • 0 in reply to FormerMember

    This is interesting,

    service -S | grep SSL does not produce sample output, but when I just type service -S and scroll through the output I can see "sslvpn RUNNING".

    Interestingly sslvpn.log has not been filled since January 11th, even when the device was rebooted. Is this normal?

    Here are the last log file entries:

    Mon Jan 11 16:57:22 2021 [8585] TCP connection established with [AF_INET6]::ffff:SANATIZED:56478
    Mon Jan 11 16:57:24 2021 [8585] ::ffff:SANATIZED WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mon Jan 11 16:57:24 2021 [8585] ::ffff:SANATIZED Connection reset, restarting [0]
    Mon Jan 11 16:57:24 2021 [8585] ::ffff:SANATIZEDSIGUSR1[soft,connection-reset] received, client-instance restarting
    Mon Jan 11 17:13:29 2021 [8585] Closing TUN/TAP interface
    Mon Jan 11 17:13:29 2021 [8585] /bin/ip addr del dev tun0 10.81.234.5/24
    Mon Jan 11 17:13:29 2021 [8585] /bin/ip -6 addr del 2001:db8::1:0/64 dev tun0
    Mon Jan 11 17:13:29 2021 [8585] PLUGIN_CLOSE: /lib/openvpn-plugin-utm.so
    Mon Jan 11 17:13:29 2021 [8585] SIGTERM[hard,] received, process exiting

    Also excuse the long waiting times, I am fairly new to network technology/engineering and sometimes I have some troubles getting the screenshots and logs to provide for you. Thanks for the help!

Reply
  • 0 in reply to FormerMember

    This is interesting,

    service -S | grep SSL does not produce sample output, but when I just type service -S and scroll through the output I can see "sslvpn RUNNING".

    Interestingly sslvpn.log has not been filled since January 11th, even when the device was rebooted. Is this normal?

    Here are the last log file entries:

    Mon Jan 11 16:57:22 2021 [8585] TCP connection established with [AF_INET6]::ffff:SANATIZED:56478
    Mon Jan 11 16:57:24 2021 [8585] ::ffff:SANATIZED WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mon Jan 11 16:57:24 2021 [8585] ::ffff:SANATIZED Connection reset, restarting [0]
    Mon Jan 11 16:57:24 2021 [8585] ::ffff:SANATIZEDSIGUSR1[soft,connection-reset] received, client-instance restarting
    Mon Jan 11 17:13:29 2021 [8585] Closing TUN/TAP interface
    Mon Jan 11 17:13:29 2021 [8585] /bin/ip addr del dev tun0 10.81.234.5/24
    Mon Jan 11 17:13:29 2021 [8585] /bin/ip -6 addr del 2001:db8::1:0/64 dev tun0
    Mon Jan 11 17:13:29 2021 [8585] PLUGIN_CLOSE: /lib/openvpn-plugin-utm.so
    Mon Jan 11 17:13:29 2021 [8585] SIGTERM[hard,] received, process exiting

    Also excuse the long waiting times, I am fairly new to network technology/engineering and sometimes I have some troubles getting the screenshots and logs to provide for you. Thanks for the help!

Children
No Data