Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 452 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN XGS 4500 - TCP RST

Marcel Hoffmann

Hi there,

we recently migrated from UTM to XGS4500, almost everythings working as expected excelt for SSL VPN with the sophos client.

I have setup the SSL profile according to the sophos youtube video but I can't connect. The client sticks at "veryfing authentication" and wireshark tells me that the TCP session gets a RST. 

I switched to UDP, but no success, I tried override hostname and also the WAN ip - same issue. The firewall rule is also configured as shown in the video. 

We use AD users for authentication (STAS).

Currently I am out of ideas.

Regards

Marcel



This thread was automatically locked due to age.
Parents
  • 0

    RST will be send, if auth is unsuccessful. I would not look into this much more. Check the auth. Check if all users are effected. Then check the authentication log of the firewall. 

    __________________________________________________________________________________________________________________

Reply
  • 0

    RST will be send, if auth is unsuccessful. I would not look into this much more. Check the auth. Check if all users are effected. Then check the authentication log of the firewall. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Hi,

    I think the problem is more simple. The target port is not open when connecting (checking with port forward test). I have no other DNAT rule for this Port/IP (but I use this port on an alias IP). I also tried UDP or a port that is definitely not used by other services without success. 

    Currently I opened a case with sophos on this but unfortunately nobody is responding until now.

  • 0 in reply to Marcel Hoffmann

    Hi Marcel Hoffmann 

    Please share the same DNAT rule you have configured and forwarded service 8443 and NAT rule associated with same DNAT rule

    Please share the output for the below command : 

    console>drop-packet-caputer 'host <Public IP> and port 8443 (Public IP address from where you are connecting SSL VPN user from outside)

    console>tcpdump 'host <Public IP> and port 8443 

    Simultaneously go to MONITOR & ANALYZE | Diagnostics | Packet Capture and click on Configure and add host <Public IP> and port 8443  and check the traffic flow from GUI as well as from CLI as per the above command 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to Bharat J

    Hello,

    problem is solved now. The cause was the default certificate of the certification authority. I had to regenerate it, afterwards the connection was possible.

    Regards

    Marcel

Unfiltered HTML