This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troubleshooting SSL VPN Connection UTM 9.5

Good afternoon folks,

I hope someone can help me here...

We use SG210 Firewalls and have a 'guest' wifi set up on it with no content filtering on it (the policies are all set to allow all traffic our). However I had a visitor here the other day who wished to connect back to his office via his SSL VPN. Coincidentally his company also use Sophos firewalls (XG). However when he tried to connect to his VPN he got a 'host not found' error. I also get the same error if I connect to this wifi network and attempt to connect to our own VPN.

Both VPN's worked fine when connecting off a hotspot created from a mobile phone.

Does anyone have any ideas as to what could be causing this? The errer clearly points to DNS issues... We have our own internal DNS and googles DNS (8.8.8.8) configured in the firewalls.

This is a particular nuisance for me as when our users have issues connecting from home, I'm unable to test our VPN connection from within the office, without creating ahotspot from my phone and eating my data allowance!

Any help would be greatly appreciated.

Thanks,

Darren



This thread was automatically locked due to age.
Parents
  • Hi Darren and welcome to the UTM Community!

    Lots of possibilities - let's start with a picture of the 'Server Settings' box from 'Remote Access >> SSL VPN'.

    Cheers - Bob
    PS I moved this thread to here from the General Discussion forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob and thanks.

    Please see the picture as requested:

    Thanks,

    Darren

  • It's not Bob no. We have "SSL VPN Users (User Group Network)" in there...

     

    Darren

  • What happens if you replace that object with "VPN Pool (SSL)," Darren?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I've not had a chance to make the change as yet Bob. I'll hopefully do it over the weekend sometime so will let you know how it goes.

    Thanks again.

    Darre

  • Hi Bob,

    I made that change and tested, but it made no difference I'm afraid.

    Thanks,

    Darren

  • What does vpn.yourcompany.co.uk resolve to inside this WiFi network?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • It can't be resolved. I get the following from the client:

    "Server: UnKnown

    *** Server UnKnown can't find vpn.keelys.co.uk: No response from server."

     

    If I do a dns lookup from the UTM itself, this also fails:

     

    Trying "vpn.keelys.co.uk"
    
    Host vpn.keelys.co.uk not found: 3(NXDOMAIN)
    
    Received 84 bytes from 127.0.0.1#53 in 0 ms
    
    Received 84 bytes from 127.0.0.1#53 in 0 ms

    Thanks,

    Darren

  • How does your configuration compare to DNS best practice?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I've made a couple of changes Bob in line with the best practices, but still no luck.

    I'm beginning to wonder if the issue could be linked to our internal domain name being the same as our external (i.e. keelys.co.uk)!?

    Regards

    Darren

  • I can see how that might affect your accesses, but not how your guest's attempt to get out would be affected.

    If you want the internal users to get DNS resolution for your domain that differs from your public authoritative name server, you need a Forward Lookup Zone in your internal DNS server or to have the UTM provide this.  For example, I might have your domain used as the DNS Hostname in a Host object that points at the IP of "Internal (Address)" - that would fix your SSL VPN testing needs.

    Still, the fact that the guest couldn't get out seems to indicate that the WiFi network is not allowed DNS access.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob. I'll give your suggestion a try for our internal VPN testing.

    With regards to guests VPN access out, I won't be able to test this until we have another guests come in I suppose. Unless if I connect a laptop to our guest wifi and try to connect to our vpn (so technically would be outside of our LAN)... Would that suit as a test do you think? Internet access all seems to work fine for devices on the guest wifi and I can't see any traffic being blocked/dropped on that network when vpn's attempt to connect. So that's why I'm a bit lost...

    Thanks as always Bob.

Reply
  • Thanks Bob. I'll give your suggestion a try for our internal VPN testing.

    With regards to guests VPN access out, I won't be able to test this until we have another guests come in I suppose. Unless if I connect a laptop to our guest wifi and try to connect to our vpn (so technically would be outside of our LAN)... Would that suit as a test do you think? Internet access all seems to work fine for devices on the guest wifi and I can't see any traffic being blocked/dropped on that network when vpn's attempt to connect. So that's why I'm a bit lost...

    Thanks as always Bob.

Children
No Data