Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 8209 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN and User Portal not responding after migrating to new hardware

SajaCher

I migrated my software UTM (9.351-3) to new hardware a couple of days ago. I maintained the same version and imported the exported config from the old hardware. The old hardware had 5 network interfaces but one was unused and not assigned to any purpose. The new hardware has 4 network interfaces. I moved around some of the interfaces to my preferred arbitrary network ports which I have come to expect anytime I have to do a config import.

Everything worked except Dyndns which was trying to update the host entry with the non-routable IP that my ISP assigns to my External WAN interface. I had to change the dyndns update method from interface to web and then it updated the host correctly.

But then I found I could not remote access into the UTM. Just times out. I could sporadically get connected to the user portal and SSL VPN when inside the network. I checked with the Management:User Portal:Network Settings and the interface was set to Any. I changed it to External (WAN) address. Also checked out the Remote Access:SSL:Settings interface address and it changed already to External (WAN) address. I stopped and started both User portal and SSL VPN Remote Access Profile. But I still cannot get connected to the 443 port and see the User Portal nor does SSL VPN get a response when connecting outside the network. The user portal now no longer works from inside the network (when I changed the interface address from any). Adding in Any to the Allowed networks did not help.

Everything worked on the old hardware so I am not sure why Remote Access is not working on the new hardware. Any advice?

Here is a snippet from the openvpn log on the UTM:

2016:05:20-08:47:07 myfirewall openvpn[4665]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
2016:05:20-08:47:07 myfirewall openvpn[4665]: MANAGEMENT: CMD 'status -1'
2016:05:20-08:47:17 myfirewall openvpn[4665]: MANAGEMENT: Client disconnected



This thread was automatically locked due to age.
Parents
  • 0

    While chewing on Sachin's response, and noting how there were only server poll timeouts in the openvpn client log (iOS), i realized early Tuesday morning that my ISP router (2Wire) needed to be set to the new hardware (new Mac address on my ethernet card attached to the ISP router). Otherwise the ISP router just treats the UTM as a client and enforces the ISP router's firewall and NAT onto the UTM. This explained why when I changed over to the new UTM hardware, the external WAN IP address on the UTM changed from a routable IP address to a non routable IP address which Dyndns dutifully updated for my hostname (when the update method was set to interface). I did not pickup on the UTM external WAN IP address being non-routable as "everything" seemed to be working. In retrospect, all my custom inbound port mappings/rules I set up on the UTM were being blocked like Checkpoint VPN by the ISP router. Understandably, the inbound TCP443 https that SSL VPN and user portal use were also being blocked. Hence the openvpn client log showing timeouts and no connections seen in the UTM openVPN log.

    On the 2Wire ISP router, I had to go to Settings, Firewall: Applications, Pinholes and DMZ tab, select the active ethernet connection in step 1 and then choose Allow All Applications (DMZplus mode in step 2. Once I went back to the UTM and clicked the renew button in my external WAN interface (under Interfaces and Routing:Interfaces), I watched the WAN IP change from non-routable to a normal routable IP. I remember setting this DMZplus mode years ago but totally forgot about it.


    I was able to verify the user portal and SSL VPN worked just fine after getting the ISP router to treat my new UTM in DMZplus mode.

    Thanks Sachin and Bob for your help and replies.

Reply
  • 0

    While chewing on Sachin's response, and noting how there were only server poll timeouts in the openvpn client log (iOS), i realized early Tuesday morning that my ISP router (2Wire) needed to be set to the new hardware (new Mac address on my ethernet card attached to the ISP router). Otherwise the ISP router just treats the UTM as a client and enforces the ISP router's firewall and NAT onto the UTM. This explained why when I changed over to the new UTM hardware, the external WAN IP address on the UTM changed from a routable IP address to a non routable IP address which Dyndns dutifully updated for my hostname (when the update method was set to interface). I did not pickup on the UTM external WAN IP address being non-routable as "everything" seemed to be working. In retrospect, all my custom inbound port mappings/rules I set up on the UTM were being blocked like Checkpoint VPN by the ISP router. Understandably, the inbound TCP443 https that SSL VPN and user portal use were also being blocked. Hence the openvpn client log showing timeouts and no connections seen in the UTM openVPN log.

    On the 2Wire ISP router, I had to go to Settings, Firewall: Applications, Pinholes and DMZ tab, select the active ethernet connection in step 1 and then choose Allow All Applications (DMZplus mode in step 2. Once I went back to the UTM and clicked the renew button in my external WAN interface (under Interfaces and Routing:Interfaces), I watched the WAN IP change from non-routable to a normal routable IP. I remember setting this DMZplus mode years ago but totally forgot about it.


    I was able to verify the user portal and SSL VPN worked just fine after getting the ISP router to treat my new UTM in DMZplus mode.

    Thanks Sachin and Bob for your help and replies.

Children
No Data
Unfiltered HTML