Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 29657 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot connect to VPN

grotoc

Hi,

 

I think I have followed the ssl vpn remote access guide https://community.sophos.com/kb/en-us/122769 
But I can't manage to connect. It seems that the firewall won't allow the connection :

messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="00:24:d4:ad:17:c2" src_ip="x.x.x.x" src_country="" dst_ip="y.y.y.y" dst_country="" protocol="UDP" src_port="49795" dst_port="8443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

I don't understand why because :

- I have allowed the WAN zone for SSL VPN
- I don't have any firewall rule that could block the 8443 port

Any idea ?



This thread was automatically locked due to age.
  • 0

    Did you add ‘VPN’ to the Source zone on your firewall rule that allows the incoming VPN connection (as shown in that guide)? You don’t actually need WAN as a source zone on that firewall rule, just VPN.

  • 0 in reply to shred

    Yes I did that. But if I understand correctly, this rule doesn't allow WAN to VPN trafic, it allows VPN users to have access to our LAN ressources, doesn't it ? So it has no impact on the fact that, in my case, the firewall deny access to port 8443. If I'm not wrong...

  • 0 in reply to grotoc
    Did you enable SSL VPN for WAN under Administration -> Device Access -> Local Services ACL? What you’re saying is correct. This is one of the flaws with Sophos XG (in my opinion) that a lot of folks are frustrated about. There are “hidden” firewall rules that are either there by default or created by enabling certain settings such as the one mentioned above. Everything under “Local Services ACL” is essentially like creating a firewall rule, so enabling SSL VPN for WAN is doing exactly what you’re saying - opening a port to allow access from the WAN side.
  • 0 in reply to shred

    Yes it is enabled. And that why I can't understand why the firewall is blocking...

  • 0 in reply to grotoc

    Hm, that is odd... I wrote a guide on setting up SSL VPN for home use. It’s exactly the steps I took to get SSL VPN setup and it seems to be working okay for me. Might be worth skimming through it to make sure you didn't miss any steps. I found some of the official Sophos guides to not be complete or missing some important steps. You can see it here: 

    Otherwise, posting your firewall rules might help just so we can take a look.

  • 0 in reply to shred

    There's really nothing special in my firewall rules, and the log doesn't point to any of these rules.

     

     

    And here's my local device access configuration :

  • 0 in reply to grotoc

    I’m sure you’ve already checked this but just in case - do you have your “Local subnet” added to the “Permitted Network Resources (IPv4)” in the SSL VPN configuration? Besides that, I’m at a loss as to what it could be... hopefully someone else can chime in with a solution.

  • 0 in reply to shred

    Yes, I have added it to the “Permitted Network Resources (IPv4)” . I even have added "Port 1", "Port 2" and "WWAN1". But nothings works. Event when I try to access the VPN from my local network the firewall is blocking me.

  • 0 in reply to grotoc

    grotoc said:
    Yes, I have added it to the “Permitted Network Resources (IPv4)” . I even have added "Port 1", "Port 2" and "WWAN1". But nothings works. Event when I try to access the VPN from my local network the firewall is blocking me.

    I was reading through this Knowledge Base article on troubleshooting SSL VPN: 

    It mentions the following:

    “Make sure that physical ports of Sophos Firewall are not allowed in the Permitted Network Resources (IPv4) of the Tunnel Access section under VPN > SSL VPN (Remote Access). If allowed, the SSL VPN user would not be able to access the internal network, instead, create a new IP Host/Network for SSL VPN user access.”

    Have you tried deleting everything except the IP Host for your local network from the ‘Permitted Network Resources (IPv4)?

  • 0 in reply to shred

    Yes, I have delete all physical ports in the 'Permitted Network Resources (IPv4)' section. But still no luck.

    When I try to do a simple telnet using the port 8843 to the sophos XG, I'm blocked by the firewall. And I don't think it should.