Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 14250 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SSL VPN Client is connected but there isn't traffic

David Babiano Rodriguez

Hi to all!!

I have an issue with the SSL vpn client configuration.. The client is able to connect but I can see in the log the next lines (is not a complete log):

 

Tue Jan 10 15:57:20 2017 MANAGEMENT: >STATE:1484060240,ASSIGN_IP,,10.3.33.101,,,,
Tue Jan 10 15:57:24 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:24 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:28 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:28 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:29 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:29 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:30 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:30 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:31 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:31 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:33 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:33 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:34 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:34 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:35 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:35 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:36 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:36 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:37 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:37 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:39 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:39 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:40 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:40 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:41 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:41 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:42 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:42 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:43 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:43 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:44 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:44 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:45 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:45 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:46 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:46 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:47 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:47 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:48 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:48 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:49 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:49 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:50 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:50 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:51 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:51 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:52 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:52 2017 Route: Waiting for TUN/TAP interface to come up...
Tue Jan 10 15:57:54 2017 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Tue Jan 10 15:57:54 2017 C:\Windows\system32\route.exe ADD 172.20.35.193 MASK 255.255.255.255 192.168.1.1
Tue Jan 10 15:57:54 2017 Route addition via service succeeded
Tue Jan 10 15:57:54 2017 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.3.33.100
Tue Jan 10 15:57:54 2017 Warning: route gateway is not reachable on any active network adapters: 10.3.33.100
Tue Jan 10 15:57:54 2017 Route addition via service failed
Tue Jan 10 15:57:54 2017 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.3.33.100
Tue Jan 10 15:57:54 2017 Warning: route gateway is not reachable on any active network adapters: 10.3.33.100
Tue Jan 10 15:57:54 2017 Route addition via service failed
Tue Jan 10 15:57:54 2017 MANAGEMENT: >STATE:1484060274,ADD_ROUTES,,,,,,
Tue Jan 10 15:57:54 2017 C:\Windows\system32\route.exe ADD 172.20.35.193 MASK 255.255.255.255 192.168.1.1
Tue Jan 10 15:57:54 2017 ROUTE: route addition failed using service: El objeto ya existe. [status=5010 if_index=10]
Tue Jan 10 15:57:54 2017 Route addition via service failed
Tue Jan 10 15:57:54 2017 C:\Windows\system32\route.exe ADD 172.20.35.193 MASK 255.255.255.255 192.168.1.1
Tue Jan 10 15:57:54 2017 ROUTE: route addition failed using service: El objeto ya existe. [status=5010 if_index=10]
Tue Jan 10 15:57:54 2017 Route addition via service failed

Then, the system is not adding the network interface in the client laptop and the routes isn't appear anywhere... So, when I try to reach the internal LAN, the traffic goes to the client's default gateway instead going throught the SSL-VPN and the traffic is not reaching the LAN... 

Any idea???

Thanks in advance!!!

Regards

David.



This thread was automatically locked due to age.
  • 0

    Hi David, 

    Could you post your Configueration of your SSL VPN and Specify the Network you wish to Access and also post route table of your system . 

    TO get the Route of your system run the command > route print 

  • 0

    Weird to see tunnel coming up so many times in 30 seconds.  Probably is goes down as quickly.
    And when it is down, route addition to tunnel peer 10.3.33.100 has to fail.

    Am I correct assuming:
    -192.168.1.1 is gateway on your LAN
    -172.20.35.193 is sslvpn server IP.  (it's a private IP, that raises some eyebrows)
    -OpenVPN tries to route all traffic over the VPN, not just some internal networks

  • 0 in reply to Aditya Patel

    Hi Aditya,

    the configuration is:

    The permitted network is 10.3.0.0/16, and the route print of the laptop: 

    C:\Users\David>route print
    ===========================================================================
    ILista de interfaces
    34...00 ff 3e c6 92 3f ......Sophos SSL VPN Adapter
    11...00 18 de 22 76 dc ......Conexión de red Intel(R) PRO/Wireless 3945ABG
    10...00 18 8b b1 7c 63 ......Controladora Gigabit Broadcom NetXtreme 57xx
    1...........................Software Loopback Interface 1
    36...00 00 00 00 00 00 00 e0 Adaptador ISATAP de Microsoft
    37...00 00 00 00 00 00 00 e0 Adaptador ISATAP de Microsoft #2
    18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    33...00 00 00 00 00 00 00 e0 Adaptador ISATAP de Microsoft #3
    ===========================================================================

    IPv4 Tabla de enrutamiento
    ===========================================================================
    Rutas activas:
    Destino de red Máscara de red Puerta de enlace Interfaz Métrica
    0.0.0.0 0.0.0.0 172.20.32.1 172.20.34.90 20
    127.0.0.0 255.0.0.0 En vínculo 127.0.0.1 306
    127.0.0.1 255.255.255.255 En vínculo 127.0.0.1 306
    127.255.255.255 255.255.255.255 En vínculo 127.0.0.1 306
    172.20.32.0 255.255.248.0 En vínculo 172.20.34.90 276
    172.20.34.90 255.255.255.255 En vínculo 172.20.34.90 276
    172.20.35.193 255.255.255.255 172.20.32.1 172.20.34.90 276
    172.20.39.255 255.255.255.255 En vínculo 172.20.34.90 276
    224.0.0.0 240.0.0.0 En vínculo 127.0.0.1 306
    224.0.0.0 240.0.0.0 En vínculo 172.20.34.90 276
    255.255.255.255 255.255.255.255 En vínculo 127.0.0.1 306
    255.255.255.255 255.255.255.255 En vínculo 172.20.34.90 276
    ===========================================================================
    Rutas persistentes:
    Ninguno

    IPv6 Tabla de enrutamiento
    ===========================================================================
    Rutas activas:
    Cuando destino de red métrica Puerta de enlace
    1 306 ::1/128 En vínculo
    1 306 ff00::/8 En vínculo
    ===========================================================================
    Rutas persistentes:
    Ninguno

    These routes are with the client connected...

    The system should lease to my laptop an IP address of the range 10.3.33.100 - 110, but I don't see it anywhere... If I run a traceroute to the internal network, the traffic goes to my default gateway instead to go to the tunnel...    

    Regards,

    David.

  • 0 in reply to sixteen again

    Hi sixteen,

    yes, it's correct... Now, I have the appliance in a lab (I'm new in Sophos), but I have to configure the appliance to take it and go to install it to my customer...

    the IP address 192.168.1.1 is a router which knows thew to subnets... The lab is:

     

    The green arrow is the SSL-VPN connection (I have got connectivity via routing between the laptop and the sophos appliance).... The system is leasing to me one IP address but I don't see this anywhere and the traffic is not going via tunnel... I don't know how to OpenVPN client works but the Cisco Anyconnect client, brings up a new interface which is used to reach the internal network, I think the OpenVPN client works equal, correct??

    Thanks in advance!!

    Regards,

    David.

  • 0 in reply to David Babiano Rodriguez

    HI Sixteen , 

    As per the logs , it would seem that the SSL VPN client is having troubleshoot overwriting the default route , have you tried with different system also does your XG appliance have a Public address which is reachable from your system . 

  • +1 in reply to Aditya Patel

    Hi Aditya,

    I've solved this issue.... The problem is I have got installed the Cisco Anyconnect Client, this software has a module which manage the network, this is usefull to manage the wifi connections in your PC because with one click i can change the wifi network that I connect... I've disabled this module and the sophos cliente has connected fine and quickly... Now all is working fine!!!

    Thanks for all and I sorry for the inconvenience...

    Kind Regards,

    David.

  • 0 in reply to David Babiano Rodriguez

    HI  David , 

    Its no problem , your Issue and resolution would be sure be of help to others . Keep us posted for any issue you are facing.