Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
This article describes the steps to troubleshoot SSL VPN remote access connectivity and data transfer issues. Before proceeding to troubleshoot, please verify that the SSL VPN remote access is configured correctly by following Sophos XG Firewall: How to configure SSL VPN remote access.
Applies to the following Sophos products and versions Sophos Firewall
Make sure that the SSL VPN service is selected for WAN interface under Administration > Device Access.
Make sure the SSL VPN users are accessing the portal using the port configured under Administration > Admin Settings.
Make sure that the proper certificate is associated with the SSL VPN user. Using the appliance certificate and regenerate the certificate if required is recommended. For more details, please refer to Sophos XG Firewall: Self signed certificates are not supported as SSL server certificate in SSL VPN.
Go to Log Viewer and filter the Log Comp to SSL VPN Client.
Login to the command line interface (CLI) and select 4: Device Console. Run the following command, which uses the default SSL VPN port 8443, to analyse the output.
tcpdump "port 8443"
tcpdump "port 8443"
Login to the command line interface (CLI) and select 5: Device Management then 3: Advanced Shell and type the following command:
tail -f /log/sslvpn.log
Right click SSL VPN Client from your PC taskbar and select View Log.
Go to Authentication > Users and confirm that the SSL VPN user has two or more simultaneous logins allowed, in case if the user is simultaneously logged in from different machine at the same time.
When receiving Auth-failure error message in logs, verify the authentication method under Authentication > Services > SSL VPN Authentication Methods.
In the event that the SSL VPN connects successfully but users are not able to connect to the allowed resources behind the Sophos XG Firewall, verify if a firewall rule is created and configured. If any specific service is selected in this rule, try allowing any service and check the connectivity.
Login to the command line interface (CLI) and select 4. Device Console. Verify that the internal allowed resource is accessible from the Sophos XG Firewall itself. As an example, you can ping an internal resource from the Sophos XG Firewall's console. If the allowed resources are not accessible from the Sophos XG Firewall, then they would not be accessible from the WAN side.
Make sure that the physical ports of the Sophos XG Firewall are not allowed in the Permitted Network Resources (IPv4) of the Tunnel Access section under VPN > SSL VPN (Remote Access). If allowed, the SSL VPN user would not be able to access the internal network, instead, create a new IP Host/Network for SSL VPN user access.
Login to the command line interface (CLI) and select 4. Device Console to run the following command, which uses the default SSL VPN port 8443.
drop-packet-capture “port 8443”
Verify that the WAN port of the Sophos XG Firewall is not allowed under VPN > SSL VPN (Remote Access) > Tunnel Access > Permitted Network Resources (IPv4). If it is allowed, the SSL VPN client could disconnect frequently.
Note: As a last resort, try uninstalling the SSL VPN remote access client and reinstall it.
Even though the option Use as default gateway in the SSL vpn remote access policy is enabled like shown below, internet traffic is going through the endpoint's local internet connection rather than the SSL vpn adapter.
To resolve this issue and force the Internet traffic trough the SSL vpn adapter, verify the endpoint's routing table and prioritize the SSL vpn adapter through its metric. You can also disable the endpoint's other local interface routes if you do not need them, that way the Internet traffic will be forced to flow over the SSL vpn adapter and thus through the XG Firewall.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.