Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 11392 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site SSL VPN failing when sending traffic through

Charles Lee1

Hi All, 

I am hoping you guys can help me, I have been working on this for the past 8 hours with no luck

We have recently changed our internet provider for one of our satellite offices in a remote part of WA Australia. The previous connection was a 10/10Mbps SDSL (Static IP). The new connection is 4G dongle in a cradle with an aerial on the roof (Dynamic IP).  

Hardware Setup

Site A - Main office - has a SG230 UTM 9 Device
Site B - Satellite Office - has a SG210 UTM 9 Device 

VPN Settings.

Server - Site A
Interface Address: Any
Protocol: TCP
Port: 4333
Hostname overridden: 116.x.y.z

Client: Site B
Interface Address: Any
Protocol: TCP
Port: 4333
Override Hostname: None

The VPN provides Site B access to the main office (Site A) resources, this includes print and VOIP servers. For the past two years the server-client setup has worked with no issues. 

After the install of the new internet connection, the VPN connects with no issues.  We can ping all subnets from each side of the tunnel. The issue starts when we try and access resources and send through any amount of traffic through the tunnel. Even when we logs into the Site B device from Site A through the tunnel, the tunnel times out and blocks any further traffic. The only option is to stop and restart the tunnel. 

Whilst testing the VPN connection we ran an MTR trace on a machine inside Site B and although the VPN connection drops out, the internet connection does not. ie. this seems to be a configuration or routeing problem rather that an issue with the internet connection.  

 

We have tried the following things to resolve the issue: 

1. Recreated both ends of the tunnel and copied across the settings files from server to client

2. We noticed that the MTR would not work with an MTU size higher than 1370. We changed the 4G connection to 1350, still did not work. 

3. All firewall and NAT rules are correct as the initial connection allows for ping and tracert to all required resources. However we removed and added them from scratch. 

 

 

Does anyone have any idea what could be causing this? We are using Telstra as the 4G provider, has anyone had any issues with their kit before?

Any advice would be greatly appreciated. 

Thanks

Charlie

 



This thread was automatically locked due to age.
Parents
  • 0

    This still sounds like possible MTU conflicts.

    Try to ping with larger packets like this (from Windows):

    ping -f -l 1350 remote.host.address

    This will tell PING to use a 1350 byte packet (-l 1350) that cannot be fragmented (-f). If it fails, try smaller values until you found a value that works.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hi apijnappels,

    Thanks for the reply, we tried several different versions of the MTU size, even taking it right down to 500. This unfortunately didn't solve it.

    After another day of scratching our heads, we eventually resorted to changing the protocol from TCP to UDP in - Site-to-site > SSL > Settings.

    This fixed the issue with the site-to-site disconnecting. Unfortunately, as there is only one instance of VPN server on the device, we now have to reconfigure all our remote access clients to use the UDP protocol.

    For anyone who has this type of issue. If you have staff that are already using the remote access VPN client.

    1. If the staff member has admin access to their machine - Ask them to download the config files again from the user portal.

    2. If the staff member does not have admin access, you can either:

    Manually change the .ovpn config file on their machine  -  C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\username@ip.address.of.server.ovpn. In the file, look for the part that says proto and change from tcp to ud

    or

    Download a new version of the file from the user portal and install with admin privelages

    Hope this helps someone with a similar issue.

  • 0 in reply to Charles Lee1

    Hi,

    Good it works now. You'll also likely to find that your VPN-speed will increase by using UDP rather than TCP. However your remote workers might run into issues making a connection when on some  remote location there's a restricting firewall policy; that will also need to allow outgoing UDP traffic on the requested port.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0 in reply to Charles Lee1

    Hi,

    Good it works now. You'll also likely to find that your VPN-speed will increase by using UDP rather than TCP. However your remote workers might run into issues making a connection when on some  remote location there's a restricting firewall policy; that will also need to allow outgoing UDP traffic on the requested port.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data
Unfiltered HTML