Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 51211 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot get SSL client VPN to connect and no logs to help

CMR

I have set up a client based SSL VPN on our XG pair but I cannot get it to connect.

I have tried with the appliance certificate and a genuine public one we have installed

I have tried UDP and TCP

I have tried Windows 7 client and Windows 10 client

I can download the client and/or the config from the user portal and it installs fine, when I try to connect, the traffic light goes yellow for about 30 seconds but then fails.  If I click to look at the log file it asks me if I want to create one.  On the XG I can see the clientless connections in the log but nothing for the client VPN.

The config contains the correct public IP addresses for the XG in it so looks sort of okay.

Any ideas what to try next?

Cheers,

Charles



This thread was automatically locked due to age.
  • 0

    Okay, done some more testing and at least I now get logs on the client and a login box.

    To do this I have to use the appliance certificate, a genuine public certificate does not work and I have to turn on debugging.

    However I cannot get it to accept my domain credentials (which work fine in the clientless user portal).

    Our domain user names have a space in them i.e. firstname [space] surname and perhaps this is not allowed by the SSL VPN client?

  • 0 in reply to CMR

    CharlesRayer,

    what does the live log say about? Wrong credential? Connecting using a local user, does it work?

  • 0 in reply to lferrara

    Live log was showing nothing at all, only logs seem to be on the client, I found the user name issue, I had set VPN to authenticate against AD as per the Sophos guide but the SSL VPN still only had local authentication (as it wasn't in the guide I'd missed it), adding AD there means I am now connected :-)

    Can't get anywhere yet though as I need to amend some core routing so it knows the VPN client subnet is on the XG...

  • 0 in reply to CMR

    So you fixed it, did you?

  • 0 in reply to lferrara

    Not yet, I can connect but not pass traffic, I have created the suggested firewall rule to allow traffic from WAN to LAN when it matches the username.  I think I need to step back a moment as I think it is nearly there

    Thanks,

    Charles

  • 0 in reply to CMR

    Can you share your policy rules?

    Pinging a device from SSL client to internal resources, does it work? Try a traceroute either.

  • 0 in reply to lferrara

    Hi Luk,

    Thanks, at the moment I have assorted policies for outbound traffic and IPSEC site to site VPNs, I had created a policy from WAN to LAN where user = me to allow all traffic and NAT (masquerade) it.

    I cannot ping or anything else but I'm going to leave it for the long weekend now and come back to it next week.  I'm thinking I need a VPN to LAN policy rather than the WAN to LAN suggested in the guide?

    Cheers,

    Charles

  • 0 in reply to CMR

    A VPN to LAN policy rule is needed otherwise all traffic is blocked. I do not know what document you are refering to.

    Have a look at this thread.

    https://community.sophos.com/products/xg-firewall/f/127/t/10975

  • 0

    I ran into this same issue today.  Apparently it doesn't work if you use anything other than the Appliance certificate?  I switched to a legitimate 3rd party issued certificate and I get nothing, after about 30 seconds it tells me it failed and no debug logs are recorded.  If I change to the appliance certificate, it connects fine and debug logs are recorded. 

     

    Is this a known issue with Sophos? 

  • 0 in reply to lferrara

    Hi Luk,

    I have similar issue, the error i see on client log is " TLS key negotiation failed to occur"  

    TLS handshake failed

    VPN Client is stuck on amber light

    I tried reinstalling Client , also tried TCP and UDP, but no luck

    Appreciate any assistance

    Thanks

    Raju