Remote access SSL VPN not working

Hi Mike,

maybe you run into a bug with mtu size of the external interface. do you use a cable provider?

check your mtu of external again. think you cant change it with the webinterface..

in this post there is fix described

https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/80641/sophos-utm-9-407-3-released

check that first and check your external mtu then to get a stable connection. after that can check ssl-vpn

I'm such a ding dong.

I was able to leverage that thread and disable the MTU auto-discover allowing me to manually set it to 1500 from 576. So that solved many other problems, I'm sure.

The error message continued in the LiveLog:

WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

The problem was completely unrelated to MTU. I failed to enable the User Portal. I enabled it and boom.... the SSL VPN answered and I was able to remotely connect. <face palm>

Thanks for the lead on the MTU bug. That was HUGE. I was having issues with Outlook 2016 client sending email via RPC over HTTP to my Hosted Exchange deployment with Office365. That's now working.

General web browsing performance was really bad. Pages are loading much faster now.

Online FPS gaming on my PS4 was horribly bad. Unplayable actually. That's working fine now.

Hi Mike,

glad to help you fixing this out. the solution need to be pinned its difficult to find.

please mark my suggestion as answer for you so that others can see thread is answered. thanks.

Again, many thanks for the lead on the MTU bug.

Re: The Answer

The answer to the original problem (Remote Access SSL VPN not working) was not related to the MTU size despite the Live Log pointing us in that direction. The SSL VPN was not working, because I had not enabled the User Portal. Once I enabled the User Portal the SSL VPN would then answer the HTTPS client request.

Hi Mike Jeffers,

normally you dont have to activate the User Portal to use the SSL-VPN.

Best regards

DKNL

Hi Mike Jeffers,

normally you dont have to activate the User Portal to use the SSL-VPN.

Best regards

DKNL

Hello,

I have more or less same issue with UTM SSL VPN. I can though connect to VPN but unable to access the remote instance/machines after connecting. I have UTM appliance configured on AWS on external public subnet and want to connect to my internal instances. Can anyone suggest something. I have this kind of setup already on my other VPCs and working fine but this one seems to have some issue or i have some misconfiguration.

Thanks, 

Does doing #1 in Rulz provide any insight?

Cheers - Bob

Hi Bob,

I have already disabled IPS (checked the tabs as well). Intrusion Prevention , Application Control and Firewall logs does not show anything either.  I 've attached all the screenshots possible. 

1.  

2. 

3. 

4.

5

. 

6. 

Thanks, Vibhor, that really madee it easy to help you.

Since there was no indication in the logs, I anticipated finding a routing problem.  I suspect that adding "LR Subnet" to 'Local Networks' in the SSL VPN Profile will cause WebAdmin to create the necessary routes.  This will also make firewall rule #4 redundant.

I don't think the SNAT has any effect.

The "Internal Networks" group must include the "VPN Pool (SSL)" object or another masq rule is needed for it.

Firewall rule #2 is redundant if the following conditions are met:

• DNS Forwarders are set correctly
• The "VPN Pool (SSL) and "LR Subnet" objects are in DNS 'Allowed Networks'
• 'Remote Access >> Advanced' is configured correctly

Cheers - Bob

Hi Bob,

Thanks for the info , i tried everything you mentioned 

1. Added LR Subnet to Local networks in SSL VPN Profile 

2. Turned Off rule #4 in firewall

3. Added VPN Pool (SSL) in Internal Networks Object definition

4 . DNS Forwarders are set correctly

5.  The "VPN Pool (SSL) and "LR Subnet" objects are in DNS 'Allowed Networks'

6.  Remote Access >> Advanced' is configured correctly

After doing above disconnected VPN and tried again after reconnecting but its still the same.  Just for information DNS resolution is working fine after i connect to VPN. 

Just the instances are not reachable  and that surely seems to be a routing issue but where i 'm not able to figure out. Need your expert opinion.

Attached are the various screenshots

1. If you also want the SSL VPN users to access the Internet via the Tunnel, then you must add the "Internet" object.
2. Does the pool of IPs for the SSL VPN, 10.242.2.0/24, conflict with any other subnets defined in your environment?
3. I would have expected the first IP on RA_Advanced to be the IP of "Internal (Address)."  The second would be that of your AWS DNS which appears to be what you now have in the first position.

Once these things are done, the UTM is correctly configured.  You could go over the routing table with a fine-tooth comb to confirm there are no conflicts, but I believe that any further changes to fix routing and firewall issues will need to be in your VPC.  At least, that's where I'd spend time proving that the issue isn't some other mis-configuration in the UTM.

You should go ahead and get a case started with Sophos Support so that they can put someone inside your UTM instance to look around for other issues.

Cheers - Bob