Troubleshooting SSL VPN Connection UTM 9.5

Good afternoon folks,

I hope someone can help me here...

We use SG210 Firewalls and have a 'guest' wifi set up on it with no content filtering on it (the policies are all set to allow all traffic our). However I had a visitor here the other day who wished to connect back to his office via his SSL VPN. Coincidentally his company also use Sophos firewalls (XG). However when he tried to connect to his VPN he got a 'host not found' error. I also get the same error if I connect to this wifi network and attempt to connect to our own VPN.

Both VPN's worked fine when connecting off a hotspot created from a mobile phone.

Does anyone have any ideas as to what could be causing this? The errer clearly points to DNS issues... We have our own internal DNS and googles DNS (8.8.8.8) configured in the firewalls.

This is a particular nuisance for me as when our users have issues connecting from home, I'm unable to test our VPN connection from within the office, without creating ahotspot from my phone and eating my data allowance!

Any help would be greatly appreciated.

Thanks,

Darren

  • Hi Darren and welcome to the UTM Community!

    Lots of possibilities - let's start with a picture of the 'Server Settings' box from 'Remote Access >> SSL VPN'.

    Cheers - Bob
    PS I moved this thread to here from the General Discussion forum.

  • In reply to BAlfson:

    Hi Bob and thanks.

    Please see the picture as requested:

    Thanks,

    Darren

  • In reply to Darren Walkeden:

    That's good, Darren, so we can eliminate some things.  Now, a picture of the Edit of the VPN SSL Profile.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    Settings as requested:

    The SSL VPN Users group is sync'd from a Security Group in Active Directory and the Internal Network is exactly as it is described.

    Thanks again

  • In reply to Darren Walkeden:

    Is "VPN Pool (SSL)" included in 'Allowed Networks' in DNS, Darren?

    Cheers - Bob

  • In reply to BAlfson:

    It's not Bob no. We have "SSL VPN Users (User Group Network)" in there...

     

    Darren

  • In reply to Darren Walkeden:

    What happens if you replace that object with "VPN Pool (SSL)," Darren?

    Cheers - Bob

  • In reply to BAlfson:

    I've not had a chance to make the change as yet Bob. I'll hopefully do it over the weekend sometime so will let you know how it goes.

    Thanks again.

    Darre

  • In reply to Darren Walkeden:

    Hi Bob,

    I made that change and tested, but it made no difference I'm afraid.

    Thanks,

    Darren

  • In reply to Darren Walkeden:

    What does vpn.yourcompany.co.uk resolve to inside this WiFi network?

    Cheers - Bob

  • In reply to BAlfson:

    It can't be resolved. I get the following from the client:

    "Server: UnKnown

    *** Server UnKnown can't find vpn.keelys.co.uk: No response from server."

     

    If I do a dns lookup from the UTM itself, this also fails:

     

    Trying "vpn.keelys.co.uk"
    
    Host vpn.keelys.co.uk not found: 3(NXDOMAIN)
    
    Received 84 bytes from 127.0.0.1#53 in 0 ms
    
    Received 84 bytes from 127.0.0.1#53 in 0 ms

    Thanks,

    Darren

  • In reply to Darren Walkeden:

    How does your configuration compare to DNS best practice?

    Cheers - Bob

  • In reply to BAlfson:

    I've made a couple of changes Bob in line with the best practices, but still no luck.

    I'm beginning to wonder if the issue could be linked to our internal domain name being the same as our external (i.e. keelys.co.uk)!?

    Regards

    Darren

  • In reply to Darren Walkeden:

    I can see how that might affect your accesses, but not how your guest's attempt to get out would be affected.

    If you want the internal users to get DNS resolution for your domain that differs from your public authoritative name server, you need a Forward Lookup Zone in your internal DNS server or to have the UTM provide this.  For example, I might have your domain used as the DNS Hostname in a Host object that points at the IP of "Internal (Address)" - that would fix your SSL VPN testing needs.

    Still, the fact that the guest couldn't get out seems to indicate that the WiFi network is not allowed DNS access.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks Bob. I'll give your suggestion a try for our internal VPN testing.

    With regards to guests VPN access out, I won't be able to test this until we have another guests come in I suppose. Unless if I connect a laptop to our guest wifi and try to connect to our vpn (so technically would be outside of our LAN)... Would that suit as a test do you think? Internet access all seems to work fine for devices on the guest wifi and I can't see any traffic being blocked/dropped on that network when vpn's attempt to connect. So that's why I'm a bit lost...

    Thanks as always Bob.