Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2505 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG VPN connection issue

Jason Etten

Running XG 19.0.0 Build 317

I had the SSL VPN setup a year ago and did not use it much.

Had some changes to network over the last year. I have upgraded versions of XG and now have a new service provider.

I used the video to complete the setup. https://techvids.sophos.com/watch/6DSCq37grC8pbB6jt9QhH9 

I am unable to connect to the VPN using the Sophos Connect client.

I did notice that my XG has a WAN IP of 100.XXX.XXX.XXX and whatismyip shows 200.XXX.XXX.XXX.

I assume I am behind my local ISP firewall. Is this causing my issue?

I do have a DNS hostname and it resolves to the 200.XXX.XXX.XXX IP.



This thread was automatically locked due to age.
Parents
  • 0

    Try this methods-

    Verify the firewall rule
    If the SSL VPN connects successfully, but users cannot connect to the allowed resources behind the Sophos Firewall, verify if a firewall rule is created and configured. If any specific service is selected in this rule, try allowing any service and check the connectivity.

    tidy_fix_alt

    Verify the accessibility of the resources
    Sign in to the command-line interface (CLI) and select 4. Device Console. Confirm that the internal allowed resource is accessible from the Sophos Firewall itself. As an example, you can ping an internal resource from the Sophos Firewall's console. If the allowed resources are not accessible from the Sophos Firewall, they would not be accessible from the WAN side.

    Verify the permitted network resources
    Make sure that the physical ports (#Port1, #Port2, #Port3, and so on) of the Sophos Firewall are not allowed in the Permitted network resources (IPv4) section of VPN > SSL VPN (remote access). If allowed, the SSL VPN user would not access the internal network; instead, create a new IP Host/Network for SSL VPN user access.

    Verify the drop packet capture for SSL VPN
    Sign in to the command-line interface (CLI) and select 4. Device Console to run the following command, which uses the default SSL VPN port 8443.

    drop-packet-capture “port 8443”

    tidy_fix_alt

    SSL VPN is restarting frequently
    Verify that the WAN port of the Sophos Firewall is not allowed under VPN > SSL VPN (remote access) > Tunnel access > Permitted network resources (IPv4). If it is allowed, the SSL VPN client could disconnect frequently.

    Note: As a last resort, try uninstalling the SSL VPN remote access client and reinstall it.

    Internet traffic is not going through the firewall
    Even though the option Use as default gateway in the SSL VPN remote access policy is turned on, internet traffic is going through the local internet connection of the endpoint rather than the SSL VPN adapter.

    To resolve this issue and force the internet traffic through the SSL VPN adapter, verify the endpoint's routing table and prioritize the SSL VPN adapter through its metric. You can also turn off the other local interface routes of the endpoint if you do not need them; that way, it will force the internet traffic to flow over the SSL VPN adapter and thus through the Sophos Firewall.

    This may help you,

    Rachel Gomez

Reply
  • 0

    Try this methods-

    Verify the firewall rule
    If the SSL VPN connects successfully, but users cannot connect to the allowed resources behind the Sophos Firewall, verify if a firewall rule is created and configured. If any specific service is selected in this rule, try allowing any service and check the connectivity.

    tidy_fix_alt

    Verify the accessibility of the resources
    Sign in to the command-line interface (CLI) and select 4. Device Console. Confirm that the internal allowed resource is accessible from the Sophos Firewall itself. As an example, you can ping an internal resource from the Sophos Firewall's console. If the allowed resources are not accessible from the Sophos Firewall, they would not be accessible from the WAN side.

    Verify the permitted network resources
    Make sure that the physical ports (#Port1, #Port2, #Port3, and so on) of the Sophos Firewall are not allowed in the Permitted network resources (IPv4) section of VPN > SSL VPN (remote access). If allowed, the SSL VPN user would not access the internal network; instead, create a new IP Host/Network for SSL VPN user access.

    Verify the drop packet capture for SSL VPN
    Sign in to the command-line interface (CLI) and select 4. Device Console to run the following command, which uses the default SSL VPN port 8443.

    drop-packet-capture “port 8443”

    tidy_fix_alt

    SSL VPN is restarting frequently
    Verify that the WAN port of the Sophos Firewall is not allowed under VPN > SSL VPN (remote access) > Tunnel access > Permitted network resources (IPv4). If it is allowed, the SSL VPN client could disconnect frequently.

    Note: As a last resort, try uninstalling the SSL VPN remote access client and reinstall it.

    Internet traffic is not going through the firewall
    Even though the option Use as default gateway in the SSL VPN remote access policy is turned on, internet traffic is going through the local internet connection of the endpoint rather than the SSL VPN adapter.

    To resolve this issue and force the internet traffic through the SSL VPN adapter, verify the endpoint's routing table and prioritize the SSL VPN adapter through its metric. You can also turn off the other local interface routes of the endpoint if you do not need them; that way, it will force the internet traffic to flow over the SSL VPN adapter and thus through the Sophos Firewall.

    This may help you,

    Rachel Gomez

Children
No Data
Unfiltered HTML