Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 29663 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot connect to VPN

grotoc

Hi,

 

I think I have followed the ssl vpn remote access guide https://community.sophos.com/kb/en-us/122769 
But I can't manage to connect. It seems that the firewall won't allow the connection :

messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="00:24:d4:ad:17:c2" src_ip="x.x.x.x" src_country="" dst_ip="y.y.y.y" dst_country="" protocol="UDP" src_port="49795" dst_port="8443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

I don't understand why because :

- I have allowed the WAN zone for SSL VPN
- I don't have any firewall rule that could block the 8443 port

Any idea ?



This thread was automatically locked due to age.
Parents
  • 0

    Did you add ‘VPN’ to the Source zone on your firewall rule that allows the incoming VPN connection (as shown in that guide)? You don’t actually need WAN as a source zone on that firewall rule, just VPN.

  • 0 in reply to shred

    Yes I did that. But if I understand correctly, this rule doesn't allow WAN to VPN trafic, it allows VPN users to have access to our LAN ressources, doesn't it ? So it has no impact on the fact that, in my case, the firewall deny access to port 8443. If I'm not wrong...

  • 0 in reply to grotoc
    Did you enable SSL VPN for WAN under Administration -> Device Access -> Local Services ACL? What you’re saying is correct. This is one of the flaws with Sophos XG (in my opinion) that a lot of folks are frustrated about. There are “hidden” firewall rules that are either there by default or created by enabling certain settings such as the one mentioned above. Everything under “Local Services ACL” is essentially like creating a firewall rule, so enabling SSL VPN for WAN is doing exactly what you’re saying - opening a port to allow access from the WAN side.
  • 0 in reply to shred

    Yes it is enabled. And that why I can't understand why the firewall is blocking...

  • 0 in reply to grotoc

    Hm, that is odd... I wrote a guide on setting up SSL VPN for home use. It’s exactly the steps I took to get SSL VPN setup and it seems to be working okay for me. Might be worth skimming through it to make sure you didn't miss any steps. I found some of the official Sophos guides to not be complete or missing some important steps. You can see it here: 

    Otherwise, posting your firewall rules might help just so we can take a look.

  • 0 in reply to shred

    There's really nothing special in my firewall rules, and the log doesn't point to any of these rules.

     

     

    And here's my local device access configuration :

  • 0 in reply to grotoc

    I’m sure you’ve already checked this but just in case - do you have your “Local subnet” added to the “Permitted Network Resources (IPv4)” in the SSL VPN configuration? Besides that, I’m at a loss as to what it could be... hopefully someone else can chime in with a solution.

  • 0 in reply to shred

    Yes, I have added it to the “Permitted Network Resources (IPv4)” . I even have added "Port 1", "Port 2" and "WWAN1". But nothings works. Event when I try to access the VPN from my local network the firewall is blocking me.

  • 0 in reply to grotoc

    grotoc said:
    Yes, I have added it to the “Permitted Network Resources (IPv4)” . I even have added "Port 1", "Port 2" and "WWAN1". But nothings works. Event when I try to access the VPN from my local network the firewall is blocking me.

    I was reading through this Knowledge Base article on troubleshooting SSL VPN: 

    It mentions the following:

    “Make sure that physical ports of Sophos Firewall are not allowed in the Permitted Network Resources (IPv4) of the Tunnel Access section under VPN > SSL VPN (Remote Access). If allowed, the SSL VPN user would not be able to access the internal network, instead, create a new IP Host/Network for SSL VPN user access.”

    Have you tried deleting everything except the IP Host for your local network from the ‘Permitted Network Resources (IPv4)?

Reply
  • 0 in reply to grotoc

    grotoc said:
    Yes, I have added it to the “Permitted Network Resources (IPv4)” . I even have added "Port 1", "Port 2" and "WWAN1". But nothings works. Event when I try to access the VPN from my local network the firewall is blocking me.

    I was reading through this Knowledge Base article on troubleshooting SSL VPN: 

    It mentions the following:

    “Make sure that physical ports of Sophos Firewall are not allowed in the Permitted Network Resources (IPv4) of the Tunnel Access section under VPN > SSL VPN (Remote Access). If allowed, the SSL VPN user would not be able to access the internal network, instead, create a new IP Host/Network for SSL VPN user access.”

    Have you tried deleting everything except the IP Host for your local network from the ‘Permitted Network Resources (IPv4)?

Children
  • 0 in reply to shred

    Yes, I have delete all physical ports in the 'Permitted Network Resources (IPv4)' section. But still no luck.

    When I try to do a simple telnet using the port 8843 to the sophos XG, I'm blocked by the firewall. And I don't think it should.

  • 0 in reply to grotoc

    Hello,

    based on a similar issue I had on my VPN connection but not completely the same , please which device are you connecting to?

    is it sophos to sophos or another device I need a name but hope its not Fortigate firewall.

     

    Regards

  • 0 in reply to JoeOhis

    It's a OSX device to Sophos XG. I tried to setup a L2TP server on the XG and I have the same issue. The firewall is blocking the connection...

     

    2018-03-04 19:24:19 0103021 IP 10.0.0.252.500 > 10.0.0.254.500 : proto UDP: packet len: 796 checksum : 43112
    0x0000:  4500 0330 6685 0000 4011 fb3e 0a00 00fc  E..0f...@..>....
    0x0010:  0a00 00fe 01f4 01f4 031c a868 6046 4629  ...........h`FF)
    0x0020:  3435 b49c 0000 0000 0000 0000 0110 0200  45..............
    0x0030:  0000 0000 0000 0314 0d00 0204 0000 0001  ................
    0x0040:  0000 0001 0000 01f8 0101 000e 0300 0024  ...............$
    Date=2018-03-04 Time=19:24:19 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=1 outzone_id=4 source_mac=1c:1b:0d:9a:68:b8 dest_mac=00:1a:8c:33:36:89 l3_protocol=IP source_ip=10.0.0.252 dest_ip=10.0.0.254 l4_protocol=UDP source_port=500 dest_port=500 fw_rule_id=0 policytype=0 live_userid=8 userid=7 user_gp=8 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=12229120 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
  • 0 in reply to grotoc 
    Hi

I have exactly the same problem. Did you solve it? If yes how?


Thank you
  • 0 in reply to Peter Sieber

    Hi, can you open another thread with details of your problem? 

    Thanks!

  • 0 in reply to Peter Sieber

    Hi,  it seems that the lastest update (17.1.1) fixed this issue in my case.