Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 27 subscribers
  • Views 42028 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - Can Connect But No Traffic

dma0

Having quite a bit of difficulty configuring SSL VPN. I can now successfully establish an SSL VPN connection through the client (I get the green light) and confirm that I get assigned an IP from the SSL VPN pool. But I cannot connect to anything at all. When I try pinging the firewall (or any other IP address on the LAN) I get no results. When I turn on default gateway, I cannot access any external websites. It's like it's connected to nothing at all.

Even more odd is that the firewall rule I created shows traffic coming through:

And the logs also show traffic as being allowed:

2017-01-07 13:10:39
Firewall Rule
Allowed
david
2
tun0
PortB
10.81.234.6 :TCP(62959)
74.125.202.188 :TCP(5228)
User
00001
Open PCAP
2017-01-07 13:10:06
Firewall Rule
Allowed
david
2
tun0
PortB
10.81.234.6 :TCP(62931)
75.101.136.125 :TCP(80)
User
00001
Open PCAP
2017-01-07 13:11:06
Firewall Rule
Allowed
david
2
tun0
-
10.81.234.6 :TCP(62971)
38.112.113.153 :TCP(443)
User
00001
Open PCAP
 

 

I've followed the "Configuring SSL VPN for Remote Access" guide and have checked and rechecked my settings.

I also found another discussion that suggested a new host network be created and interface ports be deleted from the VPN config (Configure - VPN - SSL VPN (Remote Access), so I did that:

I've defined LAN as the entire subnet I'm using for the LAN:

SSL VPN settings have been left at the defaults, other than changing encryption to AES-256-CBC.

I've not bothered posting the other SSL VPN settings seeing as how I can establish the VPN connection.

This is driving me nuts. Might anyone have any suggestions as to what I might be doing wrong?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to sachingurung

    Sachin - thanks very much. I will give it a try.

    Just one dumb question on Item 2: Currently, I only have one FW rule for VPN, with source zones being WAN or VPN and destination zones Any. But in your item 2 you refer to LAN to VPN having no MASQ. Does that mean I need to create a separate rule for LAN to VPN?

  • 0 in reply to sachingurung

    Sachin,

    Just as a further update, I tried part of your suggestion and now it seems to work. I did 1 and the first part of 2, but did not create a second rule for LAN to VPN. Also, for VPN to LAN, I turned off MASQ (rather than turn it on). Of course, if I got that second part wrong and it should be enabled for some reason, do let me know. Lastly, I kept the rule at the bottom.

    Best regards,

    David

  • 0 in reply to dma0

    Hi David,

    You need a LAN to VPN rule for traffic initiating from the LAN zone towards the VPN zone. When a session is established from the VPN zone the connection tracking system will take care of the other part but, if the session is initiated from the LAN then, the XG needs a LAN to VPN rule.

    Thanks

  • 0 in reply to sachingurung

    sachingurung wrote:

    "2. In the FW-rule: VPN to LAN has MASQ "

    Why MASQ ?  Over here it works without. I prefer to only use NAT when needed, like going from private to public IP space,  not private <-> private.
    Or originates this from checkbox being default enabled?

  • 0 in reply to sachingurung

    Thank you Sachin. I will set one up.

  • 0 in reply to dma0

    Has anyone got this to work properly? I got the VPN setup and I can connect to it remotely but just like everyone else, I cannot ping any IPs or remote into any of my systems that are on the same LAN/Gateway/DHCP. I tried creating LANt0VPN with MASQ and VPNtoLAN without MASQ with no success. I have also tried adding an IP Host for one my machines but that still can't remote into it. 

     

    Under Device Access, for VPN, I have Ping enabled and the only other option enabled by default was SNMP. Should I enable anything else there? What am I missing?

  • FormerMember
    0 FormerMember in reply to sachingurung

    I have the same problem. The solution here did not fix the issue however.