SSL VPN - Can Connect But No Traffic

Just a further note: In tunnel access, rather than trying to add an IP subnet, thought I'd try to add an IP range to see if that might work, so I created new network resource within the SSL VPN (Remote Access) screen under Permitted Network Resources (IPv4) and added it. Or at least I thought I added it. When I checked the settings, it hadn't been added, nor can I even select the newly created range under Permitted Network Resources (IPv4).

The definition was definitely created. When I go into System - Hosts and Services - IP Hosts, its still listed there:

But it doesn't show up as a permitted selection under Tunnel Access:

I must say, just as an editorial comment, that setting up VPN under UTM 9 was so, so much easier and straightforward.

Oops. Just found another post with the same issue. Will work through the suggested approach there.

And, turns out I already worked through the suggested solution, with the exception of adding VPN to the #Default_Network_Policy. Wasn't sure if it should be added to Source or Destination. Tried both but still no traffic, no pings, no traffic.

Very frustrating. 

dma0,

send me a PM and I will have a look at your problem.

Thanks and done.

Also, from the client end, things (at least as far as I can tell) seem OK:

From the client log:

Sun Jan 08 01:06:04 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.6/255.255.255.0 [SUCCEEDED]
Sun Jan 08 01:06:04 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.6/255.255.255.0 on interface {B9F62FC7-306F-468D-B989-B4433B6EF043} [DHCP-serv: 10.81.234.254, lease-time: 31536000]
Sun Jan 08 01:06:04 2017 Successful ARP Flush on interface [12] {B9F62FC7-306F-468D-B989-B4433B6EF043}
Sun Jan 08 01:06:08 2017 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Sun Jan 08 01:06:08 2017 MANAGEMENT: >STATE:1483855568,ADD_ROUTES,,,,,,
Sun Jan 08 01:06:08 2017 C:\WINDOWS\system32\route.exe ADD 99.231.148.127 MASK 255.255.255.255 192.168.43.1
Sun Jan 08 01:06:08 2017 Route addition via service succeeded
Sun Jan 08 01:06:08 2017 C:\WINDOWS\system32\route.exe ADD 10.0.0.0 MASK 255.255.255.0 10.81.234.5
Sun Jan 08 01:06:08 2017 Route addition via service succeeded
Sun Jan 08 01:06:08 2017 C:\WINDOWS\system32\route.exe ADD 99.231.148.127 MASK 255.255.255.255 192.168.43.1
Sun Jan 08 01:06:08 2017 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=14]
Sun Jan 08 01:06:08 2017 Route addition via service failed
Sun Jan 08 01:06:08 2017 Initialization Sequence Completed
Sun Jan 08 01:06:08 2017 MANAGEMENT: >STATE:1483855568,CONNECTED,SUCCESS,10.81.234.6,99.231.148.127,8443,,

From ipconfig:

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . :
 Link-local IPv6 Address . . . . . : fe80::7021:81ee:a6a3:1e23%12
 IPv4 Address. . . . . . . . . . . : 10.81.234.6
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . :

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
 Link-local IPv6 Address . . . . . : fe80::e594:ee65:d831:65be%14
 IPv4 Address. . . . . . . . . . . : 192.168.43.130
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 192.168.43.1

From netstat -rn:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
 0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.130 55
 10.0.0.0 255.255.255.0 10.81.234.5 10.81.234.6 257
 10.81.234.0 255.255.255.0 On-link 10.81.234.6 257
 10.81.234.6 255.255.255.255 On-link 10.81.234.6 257
 10.81.234.255 255.255.255.255 On-link 10.81.234.6 257
 99.231.148.127 255.255.255.255 192.168.43.1 192.168.43.130 311
 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
 192.168.43.0 255.255.255.0 On-link 192.168.43.130 311
 192.168.43.130 255.255.255.255 On-link 192.168.43.130 311
 192.168.43.255 255.255.255.255 On-link 192.168.43.130 311
 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
 224.0.0.0 240.0.0.0 On-link 10.81.234.6 257
 224.0.0.0 240.0.0.0 On-link 192.168.43.130 311
 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
 255.255.255.255 255.255.255.255 On-link 10.81.234.6 257
 255.255.255.255 255.255.255.255 On-link 192.168.43.130 311
===========================================================================
Persistent Routes:
 None

Hi,

Verify 3 points:

1. PING is marked in the Administration > Device Access > VPN zone.

2. In the FW-rule: VPN to LAN has MASQ ; LAN to VPN has no MASQ.

3. The rules are placed on TOP and nothing overrides them.

Thanks

Sachin - thanks very much. I will give it a try.

Just one dumb question on Item 2: Currently, I only have one FW rule for VPN, with source zones being WAN or VPN and destination zones Any. But in your item 2 you refer to LAN to VPN having no MASQ. Does that mean I need to create a separate rule for LAN to VPN?

Sachin,

Just as a further update, I tried part of your suggestion and now it seems to work. I did 1 and the first part of 2, but did not create a second rule for LAN to VPN. Also, for VPN to LAN, I turned off MASQ (rather than turn it on). Of course, if I got that second part wrong and it should be enabled for some reason, do let me know. Lastly, I kept the rule at the bottom.

Best regards,

David

Hi David,

You need a LAN to VPN rule for traffic initiating from the LAN zone towards the VPN zone. When a session is established from the VPN zone the connection tracking system will take care of the other part but, if the session is initiated from the LAN then, the XG needs a LAN to VPN rule.

Thanks

sachingurung wrote: