Outgoing SSL VPN connection dropping

Hi Brian Macdonald 

Thank you for reaching out to the community!

When you say connection outside the UTM works fine, did you mean you connect to that internal host via DNAT rule? 

Is it site to site SSL VPN or remote access SSL VPN that you are experiencing the issue? If the client behind the UTM is sending reset packets, I would advise investigating the reason why it resets the connection. 

Thanks,

Scenario A - I'm at my office connecting to my customer's ssl vpn (outgoing), communication goes through UTM, result connection drops after 4-5 minutes.

Scenario B - I'm at home connecting to my customer's ssl vpn (outgoing), communication goes through ISP's router, result connection stay up, no problems.

This is not site to site vpn. I go to a webpage and log in and an ssl connection is established and subsequently an RDP connection is tunneled through it.

Scenario A - I'm at my office connecting to my customer's ssl vpn (outgoing), communication goes through UTM, result connection drops after 4-5 minutes.

Scenario B - I'm at home connecting to my customer's ssl vpn (outgoing), communication goes through ISP's router, result connection stay up, no problems.

This is not site to site vpn. I go to a webpage and log in and an ssl connection is established and subsequently an RDP connection is tunneled through it.

Hi Brian and welcome to the UTM Community!

TCP resets are not uncommon.  What do you learn from doing #1 in Rulz (last updated 2019-04-17)?

If you're not the administrator of the UTM, it will be difficult to help you.

Cheers - Bob

I made an exception in Intrusion Prevention for the website. Also I don't see anything in the Intrusion Prevention or Application Control logs.  Advanced Threat Protection is zero.

I see entries like this in the firewall log but they don't coincide with the connection loss, they come before:

2020:05:29-13:33:36 utm ulogd[23981]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:15:5d:0c:62:35" srcip="xx.xx.xx.xx" dstip="192.168.12.188" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="1252" tcpflags="RST"
2020:05:29-13:33:36 utm ulogd[23981]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:15:5d:0c:62:35" srcip="xx.xx.xx.xx" dstip="192.168.12.188" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="1252" tcpflags="RST"
2020:05:29-13:33:36 utm ulogd[23981]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:15:5d:0c:62:35" srcip="xx.xx.xx.xx" dstip="192.168.12.188" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="1252" tcpflags="RST"

What is srcip="xx.xx.xx.xx"?

Cheers - Bob

That is our customer's VPN gateway IP address.

You might try opening a case with Sophos Support.  I suspect that one of the packetfilter timeouts needs to be increased and they might know which one without doing a packet capture.  Please let us know what they say.

Cheers - Bob

I have opened a case. Thanks.

Sophos support has come to conclusion that I need to ask my customer why they are terminating connection.  Not very helpful seeing as I told them everything works fine when things do not go through UTM.  Classic one vendor blaming the other.  Really wasted a lot of time on this, time to move on.

Thank for those who replied!

Brian, you have a PM.

Cheers - Bob