Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 29661 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot connect to VPN

grotoc

Hi,

 

I think I have followed the ssl vpn remote access guide https://community.sophos.com/kb/en-us/122769 
But I can't manage to connect. It seems that the firewall won't allow the connection :

messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="00:24:d4:ad:17:c2" src_ip="x.x.x.x" src_country="" dst_ip="y.y.y.y" dst_country="" protocol="UDP" src_port="49795" dst_port="8443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

I don't understand why because :

- I have allowed the WAN zone for SSL VPN
- I don't have any firewall rule that could block the 8443 port

Any idea ?



This thread was automatically locked due to age.
Parents
  • 0

    Did you add ‘VPN’ to the Source zone on your firewall rule that allows the incoming VPN connection (as shown in that guide)? You don’t actually need WAN as a source zone on that firewall rule, just VPN.

  • 0 in reply to shred

    Yes I did that. But if I understand correctly, this rule doesn't allow WAN to VPN trafic, it allows VPN users to have access to our LAN ressources, doesn't it ? So it has no impact on the fact that, in my case, the firewall deny access to port 8443. If I'm not wrong...

  • 0 in reply to grotoc

    Hm, that is odd... I wrote a guide on setting up SSL VPN for home use. It’s exactly the steps I took to get SSL VPN setup and it seems to be working okay for me. Might be worth skimming through it to make sure you didn't miss any steps. I found some of the official Sophos guides to not be complete or missing some important steps. You can see it here: 

    Otherwise, posting your firewall rules might help just so we can take a look.

  • 0 in reply to shred

    There's really nothing special in my firewall rules, and the log doesn't point to any of these rules.

     

     

    And here's my local device access configuration :

  • 0 in reply to grotoc

    I’m sure you’ve already checked this but just in case - do you have your “Local subnet” added to the “Permitted Network Resources (IPv4)” in the SSL VPN configuration? Besides that, I’m at a loss as to what it could be... hopefully someone else can chime in with a solution.

  • 0 in reply to shred

    Yes, I have added it to the “Permitted Network Resources (IPv4)” . I even have added "Port 1", "Port 2" and "WWAN1". But nothings works. Event when I try to access the VPN from my local network the firewall is blocking me.

  • 0 in reply to grotoc

    grotoc said:
    Yes, I have added it to the “Permitted Network Resources (IPv4)” . I even have added "Port 1", "Port 2" and "WWAN1". But nothings works. Event when I try to access the VPN from my local network the firewall is blocking me.

    I was reading through this Knowledge Base article on troubleshooting SSL VPN: 

    It mentions the following:

    “Make sure that physical ports of Sophos Firewall are not allowed in the Permitted Network Resources (IPv4) of the Tunnel Access section under VPN > SSL VPN (Remote Access). If allowed, the SSL VPN user would not be able to access the internal network, instead, create a new IP Host/Network for SSL VPN user access.”

    Have you tried deleting everything except the IP Host for your local network from the ‘Permitted Network Resources (IPv4)?

  • 0 in reply to shred

    Yes, I have delete all physical ports in the 'Permitted Network Resources (IPv4)' section. But still no luck.

    When I try to do a simple telnet using the port 8843 to the sophos XG, I'm blocked by the firewall. And I don't think it should.

  • 0 in reply to grotoc

    Hello,

    based on a similar issue I had on my VPN connection but not completely the same , please which device are you connecting to?

    is it sophos to sophos or another device I need a name but hope its not Fortigate firewall.

     

    Regards

  • 0 in reply to JoeOhis

    It's a OSX device to Sophos XG. I tried to setup a L2TP server on the XG and I have the same issue. The firewall is blocking the connection...

     

    2018-03-04 19:24:19 0103021 IP 10.0.0.252.500 > 10.0.0.254.500 : proto UDP: packet len: 796 checksum : 43112
    0x0000:  4500 0330 6685 0000 4011 fb3e 0a00 00fc  E..0f...@..>....
    0x0010:  0a00 00fe 01f4 01f4 031c a868 6046 4629  ...........h`FF)
    0x0020:  3435 b49c 0000 0000 0000 0000 0110 0200  45..............
    0x0030:  0000 0000 0000 0314 0d00 0204 0000 0001  ................
    0x0040:  0000 0001 0000 01f8 0101 000e 0300 0024  ...............$
    Date=2018-03-04 Time=19:24:19 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=1 outzone_id=4 source_mac=1c:1b:0d:9a:68:b8 dest_mac=00:1a:8c:33:36:89 l3_protocol=IP source_ip=10.0.0.252 dest_ip=10.0.0.254 l4_protocol=UDP source_port=500 dest_port=500 fw_rule_id=0 policytype=0 live_userid=8 userid=7 user_gp=8 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=12229120 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
  • 0 in reply to grotoc 
    Hi

I have exactly the same problem. Did you solve it? If yes how?


Thank you
  • 0 in reply to Peter Sieber

    Hi, can you open another thread with details of your problem? 

    Thanks!

Reply Children
No Data