Sophos XG VPN connection issue

Hi Jason Etten

If the user not getting connected to SSL VPN with Sophos Connect Client, the Policy is not applied to the user. Please try to re-verify the configuration as per the below link: 

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNRemoteAccessSSLVPNSophosConnectClient/index.html#add-an-ssl-vpn-remote-access-policy 

Thanks and regards

I have verified the setup in the document 3 times. No luck. I feel like there is still something.

*** Missing.

Hi Jason Etten

If you have DDNS you can update under SSL VPN Global settings on the Override hostname field or you can enter your upstream router Public static IP (200.XXX.XXX.XXX.)and try .

If user not getting connected share SSL VPN Logs from Sophos connect as per below snapshot : 

Thanks and Regards

I tried the override hostname with the DDNS name I have and I also tried with the public IP of 200.XXX.XXX.XXX.

This is the log from the connection with the override hostname using the IP address 200.XXX.XXX.XXX.

Port 8443 is blocked from your upstream ISP router as it is getting failed on logs

Can you verify same ? you can checked port forwarding setting on your upstream router and make sure you allow TCP/UDP port 8443 for your Sophos XG WAN IP

Regards

Sophos XG is my router. I don't have an upstream router.

Do I need to create a firewall rule?

I have a fiber connection and an ONT box.

Please verify the port is closed or not open SSH go to option 4 and run tcpdump 

console>tcpdump 'port 8443 

share the output 

Make sure Device access is enabled: 

Thanks and Regards

I took a screen shot of one page. The screen refreshed multiple times so I took a snap of one.

Updated XG to 19.0.1.

If still not working we have to check with ISP for 8443 port is open from their end or not 

Please take SSH access of Sophos XG Firewall as per the link : https://support.sophos.com/support/s/article/KB-000038697?language=en_US  and share tcpdump again share the logs.

Please Go to System-->Admininstration --->Device Access and share a screenshot 

To disable Login restriction, Go to Authentication > User > Login restriction* and select Any node as highlighted below. 

Have you filled out the default certificate on your XG firewall?

Are you using the third-party signed certificate for SSL VPN? 

Seems the issue is related to "server_certificate: certificate verify failed". Please check the default CA details are filled up or proper on XG to complete the cert verification.

If possible you may try by regenerating default CA (by editing and saving it with details) but that will result in the regeneration of all your certificates and will restart the SSL VPN service and may require re-import of the configuration file of SSL VPN to the end-user machine to connect over SSL VPN. Please ensure you may do this activity in odd hours with proper downtime for the safer side, so anything may impact then you may restore the backup.

Note: Before proceeding with default CA regeneration, you may take a backup of the current configuration for safety measures. 

Regards

If still not working we have to check with ISP for 8443 port is open from their end or not 

Please take SSH access of Sophos XG Firewall as per the link : https://support.sophos.com/support/s/article/KB-000038697?language=en_US  and share tcpdump again share the logs.

Please Go to System-->Admininstration --->Device Access and share a screenshot 

To disable Login restriction, Go to Authentication > User > Login restriction* and select Any node as highlighted below. 

Have you filled out the default certificate on your XG firewall?

Are you using the third-party signed certificate for SSL VPN? 

Seems the issue is related to "server_certificate: certificate verify failed". Please check the default CA details are filled up or proper on XG to complete the cert verification.

If possible you may try by regenerating default CA (by editing and saving it with details) but that will result in the regeneration of all your certificates and will restart the SSL VPN service and may require re-import of the configuration file of SSL VPN to the end-user machine to connect over SSL VPN. Please ensure you may do this activity in odd hours with proper downtime for the safer side, so anything may impact then you may restore the backup.

Note: Before proceeding with default CA regeneration, you may take a backup of the current configuration for safety measures. 

Regards

Can I use a different port if 8443 is blocked by ISP?

Yes, but make sure the same port is open from ISP end too 

Regards

My ISP is using CGNAT and blocks the ports.

If they are providing service for port forwarding we have to inform them to forward 8443 TCP/UDP port or you can ask for dedicated Publis Static IP from ISP.

Regards