Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2493 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG VPN connection issue

Jason Etten

Running XG 19.0.0 Build 317

I had the SSL VPN setup a year ago and did not use it much.

Had some changes to network over the last year. I have upgraded versions of XG and now have a new service provider.

I used the video to complete the setup. https://techvids.sophos.com/watch/6DSCq37grC8pbB6jt9QhH9 

I am unable to connect to the VPN using the Sophos Connect client.

I did notice that my XG has a WAN IP of 100.XXX.XXX.XXX and whatismyip shows 200.XXX.XXX.XXX.

I assume I am behind my local ISP firewall. Is this causing my issue?

I do have a DNS hostname and it resolves to the 200.XXX.XXX.XXX IP.



This thread was automatically locked due to age.
  • 0 in reply to Jason Etten

    If still not working we have to check with ISP for 8443 port is open from their end or not 

    Please take SSH access of Sophos XG Firewall as per the link : https://support.sophos.com/support/s/article/KB-000038697?language=en_US  and share tcpdump again share the logs.

    Please Go to System-->Admininstration --->Device Access and share a screenshot 

    To disable Login restriction, Go to Authentication > User Login restriction* and select Any node as highlighted below. 

    Have you filled out the default certificate on your XG firewall?

    Are you using the third-party signed certificate for SSL VPN? 

    Seems the issue is related to "server_certificate: certificate verify failed". Please check the default CA details are filled up or proper on XG to complete the cert verification.

    If possible you may try by regenerating default CA (by editing and saving it with details) but that will result in the regeneration of all your certificates and will restart the SSL VPN service and may require re-import of the configuration file of SSL VPN to the end-user machine to connect over SSL VPN. Please ensure you may do this activity in odd hours with proper downtime for the safer side, so anything may impact then you may restore the backup.

    Note: Before proceeding with default CA regeneration, you may take a backup of the current configuration for safety measures. 

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Can I use a different port if 8443 is blocked by ISP?

  • 0 in reply to Jason Etten

    Yes, but make sure the same port is open from ISP end too 

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    My ISP is using CGNAT and blocks the ports.

  • 0

    Try this methods-

    Verify the firewall rule
    If the SSL VPN connects successfully, but users cannot connect to the allowed resources behind the Sophos Firewall, verify if a firewall rule is created and configured. If any specific service is selected in this rule, try allowing any service and check the connectivity.

    tidy_fix_alt

    Verify the accessibility of the resources
    Sign in to the command-line interface (CLI) and select 4. Device Console. Confirm that the internal allowed resource is accessible from the Sophos Firewall itself. As an example, you can ping an internal resource from the Sophos Firewall's console. If the allowed resources are not accessible from the Sophos Firewall, they would not be accessible from the WAN side.

    Verify the permitted network resources
    Make sure that the physical ports (#Port1, #Port2, #Port3, and so on) of the Sophos Firewall are not allowed in the Permitted network resources (IPv4) section of VPN > SSL VPN (remote access). If allowed, the SSL VPN user would not access the internal network; instead, create a new IP Host/Network for SSL VPN user access.

    Verify the drop packet capture for SSL VPN
    Sign in to the command-line interface (CLI) and select 4. Device Console to run the following command, which uses the default SSL VPN port 8443.

    drop-packet-capture “port 8443”

    tidy_fix_alt

    SSL VPN is restarting frequently
    Verify that the WAN port of the Sophos Firewall is not allowed under VPN > SSL VPN (remote access) > Tunnel access > Permitted network resources (IPv4). If it is allowed, the SSL VPN client could disconnect frequently.

    Note: As a last resort, try uninstalling the SSL VPN remote access client and reinstall it.

    Internet traffic is not going through the firewall
    Even though the option Use as default gateway in the SSL VPN remote access policy is turned on, internet traffic is going through the local internet connection of the endpoint rather than the SSL VPN adapter.

    To resolve this issue and force the internet traffic through the SSL VPN adapter, verify the endpoint's routing table and prioritize the SSL VPN adapter through its metric. You can also turn off the other local interface routes of the endpoint if you do not need them; that way, it will force the internet traffic to flow over the SSL VPN adapter and thus through the Sophos Firewall.

    This may help you,

    Rachel Gomez

  • 0 in reply to Jason Etten

    If they are providing service for port forwarding we have to inform them to forward 8443 TCP/UDP port or you can ask for dedicated Publis Static IP from ISP.

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi Jason,

    Can you check the following or share if possible the following below:

    1.Log viewer (to check if any firewall rules blocking or dropping)

    2. Client logs

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML