Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Public IP address needed in override hostname?

Hello Sophos community,

I bought a Sophos XG 106 for home use and to learn more about internet security. 

But now, I have a question about the VPN access from : https://community.sophos.com/kb/en-us/122769

I followed all steps but I was wondering what I have to type in the "override hostname" field?

Do i need to add here my public IP from my internet isp?

Cause when i try to connect with the vpn client I see this in the logs : 

Wed Dec 18 12:07:12 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8443 [nonblock]
Wed Dec 18 12:07:12 2019 MANAGEMENT: >STATE:1576667232,TCP_CONNECT,,,,,,
Wed Dec 18 12:07:22 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Dec 18 12:07:27 2019 MANAGEMENT: >STATE:1576667247,TCP_CONNECT,,,,,,
Wed Dec 18 12:07:37 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Dec 18 12:07:42 2019 MANAGEMENT: >STATE:1576667262,TCP_CONNECT,,,,,,
Wed Dec 18 12:07:52 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Dec 18 12:07:57 2019 MANAGEMENT: >STATE:1576667277,TCP_CONNECT,,,,,,

So I can't seem to connect to my firewall through vpn, but i have no clue what's wrong with my current config.

Thanks a lot

regards

Frederiek



This thread was automatically locked due to age.
Parents
  • Hi  

    Yes you need to put the public IP of ISP in the override hostname. The NAT device ( ISP router or modem) has to be configured to forward the SSL VPN connection to the XG Firewall.

    Override Hostname : This sets the SSL VPN client configuration file to use this public IP when establishing the connection.

    Please re download the config file after setting up public IP of ISP and check the SSL VPN status, this will fix the issue.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hi  

    Yes you need to put the public IP of ISP in the override hostname. The NAT device ( ISP router or modem) has to be configured to forward the SSL VPN connection to the XG Firewall.

    Override Hostname : This sets the SSL VPN client configuration file to use this public IP when establishing the connection.

    Please re download the config file after setting up public IP of ISP and check the SSL VPN status, this will fix the issue.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children
  • Hello,

    Thanks for your reply.

    I changed the hostname override to my public ip 

    I re-downloaded the config file and when i try to connect, I still get this error : 

     

    Wed Dec 18 13:20:55 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8443 [nonblock]
    Wed Dec 18 13:20:55 2019 MANAGEMENT: >STATE:1576671655,TCP_CONNECT,,,,,,
    Wed Dec 18 13:21:05 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Wed Dec 18 13:21:10 2019 MANAGEMENT: >STATE:1576671670,TCP_CONNECT,,,,,,

  • Hi  

    I checked port 8443 status on https://ping.eu/port-chk/ and it is showing me closed.

    Please confirm if you are also getting  the same status or result if yes then you need to check on that part.

    PFA.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • sorry for my noob question, but where do i open this port? i thought this was done by following the " How to configure SSL VPN remote access" article.

    https://community.sophos.com/kb/en-us/122769 Here it's explained to add a firewall rule too, which i did, but i guess that's not for opening the port? :-)

  • I mean this firewall rule like described on the KB

     

  • FormerMember
    0 FormerMember in reply to Frederiek Pascal

    Hi Frederiek Pascal,

    You have to forward port 8443 from your ISP device to firewall's WAN interface IP address. By default port 8443 is open on firewall if you have SSL VPN remote VPN configured. 

    In your case the firewall is behind ISP modem and has no direct access to the internet so you have to follow that extra step. 

    Thanks,

  • thanks for your answer!

    which extra step do you mean?

    My configuration is an ISP modem (where the router function is disabled), than my sophos and than my access points for wifi.

  • 84.197.138.2:8443 port is open

    still i got this error :

     

    Thu Dec 19 09:10:55 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Thu Dec 19 09:10:55 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Enter Management Password:
    Thu Dec 19 09:10:55 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Thu Dec 19 09:10:55 2019 Need hold release from management interface, waiting...
    Thu Dec 19 09:10:56 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Thu Dec 19 09:10:56 2019 MANAGEMENT: CMD 'state on'
    Thu Dec 19 09:10:56 2019 MANAGEMENT: CMD 'log all on'
    Thu Dec 19 09:10:56 2019 MANAGEMENT: CMD 'hold off'
    Thu Dec 19 09:10:56 2019 MANAGEMENT: CMD 'hold release'
    Thu Dec 19 09:11:10 2019 MANAGEMENT: CMD 'username "Auth" "xxxxxxx"'
    Thu Dec 19 09:11:10 2019 MANAGEMENT: CMD 'password [...]'
    Thu Dec 19 09:11:10 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Thu Dec 19 09:11:10 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8443 [nonblock]
    Thu Dec 19 09:11:10 2019 MANAGEMENT: >STATE:1576743070,TCP_CONNECT,,,,,,
    Thu Dec 19 09:11:20 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Thu Dec 19 09:11:25 2019 MANAGEMENT: >STATE:1576743085,TCP_CONNECT,,,,,,
    Thu Dec 19 09:11:35 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Thu Dec 19 09:11:40 2019 MANAGEMENT: >STATE:1576743100,TCP_CONNECT,,,,,,
    Thu Dec 19 09:11:50 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Thu Dec 19 09:11:55 2019 MANAGEMENT: >STATE:1576743115,TCP_CONNECT,,,,,,
    Thu Dec 19 09:12:05 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.

     

    anybody? :D 

  • Is the ip of subnet ok? 

    these are my dhcp settings btw 

     

    and the vpn firewall rule is on top

     

  • Hi,

     

    First, is your ISP router in bridge? Are you authentication with XG? If it isn't, then you will need to create a DMZ zone to your XG, or port foward to it, or if Yes then see below.

     

    Your configuration seems fine, just remember to do this before:

    1) If there's any need, Allow VPN access to WAN on the Rules.

    2) Since It's home usage, use a domain as hostname instead of IP, you can even use Sophos DDNS for this.

    3) Change the IPV4 Lease Range for something more sane.

    4) In SSL VPN don't forget to put the XG or your DNS server IP in the settings.

    5) There's no need to open any port in the Firewall Rules, It open automaticaly when you create a SSL VPN Server.

     

    And at last, the error your getting, "The system tried to join a drive to a directory on a joined drive." Is known in Sophos UTM, some people had lucky changing the SSL VPN port.

    Also you can use UDP instead of TCP if you need a bit more throughput.

     

    After you connect to the VPN, don't forget to enable anything that you find necessary for it, such as allow the use of Web Proxy, DNS, or authentication methods in Administration => Device Access.

     

    Thanks,


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home