Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 22602 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Public IP address needed in override hostname?

Frederiek Pascal

Hello Sophos community,

I bought a Sophos XG 106 for home use and to learn more about internet security. 

But now, I have a question about the VPN access from : https://community.sophos.com/kb/en-us/122769

I followed all steps but I was wondering what I have to type in the "override hostname" field?

Do i need to add here my public IP from my internet isp?

Cause when i try to connect with the vpn client I see this in the logs : 

Wed Dec 18 12:07:12 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8443 [nonblock]
Wed Dec 18 12:07:12 2019 MANAGEMENT: >STATE:1576667232,TCP_CONNECT,,,,,,
Wed Dec 18 12:07:22 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Dec 18 12:07:27 2019 MANAGEMENT: >STATE:1576667247,TCP_CONNECT,,,,,,
Wed Dec 18 12:07:37 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Dec 18 12:07:42 2019 MANAGEMENT: >STATE:1576667262,TCP_CONNECT,,,,,,
Wed Dec 18 12:07:52 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Dec 18 12:07:57 2019 MANAGEMENT: >STATE:1576667277,TCP_CONNECT,,,,,,

So I can't seem to connect to my firewall through vpn, but i have no clue what's wrong with my current config.

Thanks a lot

regards

Frederiek



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Yes you need to put the public IP of ISP in the override hostname. The NAT device ( ISP router or modem) has to be configured to forward the SSL VPN connection to the XG Firewall.

    Override Hostname : This sets the SSL VPN client configuration file to use this public IP when establishing the connection.

    Please re download the config file after setting up public IP of ISP and check the SSL VPN status, this will fix the issue.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hello,

    Thanks for your reply.

    I changed the hostname override to my public ip 

    I re-downloaded the config file and when i try to connect, I still get this error : 

     

    Wed Dec 18 13:20:55 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8443 [nonblock]
    Wed Dec 18 13:20:55 2019 MANAGEMENT: >STATE:1576671655,TCP_CONNECT,,,,,,
    Wed Dec 18 13:21:05 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Wed Dec 18 13:21:10 2019 MANAGEMENT: >STATE:1576671670,TCP_CONNECT,,,,,,

  • 0 in reply to Frederiek Pascal

    Is the ip of subnet ok? 

    these are my dhcp settings btw 

     

    and the vpn firewall rule is on top

     

  • 0 in reply to Frederiek Pascal

    Hi,

     

    First, is your ISP router in bridge? Are you authentication with XG? If it isn't, then you will need to create a DMZ zone to your XG, or port foward to it, or if Yes then see below.

     

    Your configuration seems fine, just remember to do this before:

    1) If there's any need, Allow VPN access to WAN on the Rules.

    2) Since It's home usage, use a domain as hostname instead of IP, you can even use Sophos DDNS for this.

    3) Change the IPV4 Lease Range for something more sane.

    4) In SSL VPN don't forget to put the XG or your DNS server IP in the settings.

    5) There's no need to open any port in the Firewall Rules, It open automaticaly when you create a SSL VPN Server.

     

    And at last, the error your getting, "The system tried to join a drive to a directory on a joined drive." Is known in Sophos UTM, some people had lucky changing the SSL VPN port.

    Also you can use UDP instead of TCP if you need a bit more throughput.

     

    After you connect to the VPN, don't forget to enable anything that you find necessary for it, such as allow the use of Web Proxy, DNS, or authentication methods in Administration => Device Access.

     

    Thanks,

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

  • FormerMember
    0 FormerMember in reply to Frederiek Pascal

    Hi Frederiek Pascal,

    You would have to forward 8443 port from your ISP equipment to WAN interface of the firewall. 

    Thanks,

     

  • 0 in reply to FormerMember

    This already done

    84.197.138.2:8443 port is open

    still not working.... 

  • 0 in reply to Prism

    I did all what you asked and still it's not working, i got this error : 

     

    Sun Dec 22 13:24:27 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Sun Dec 22 13:24:27 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Enter Management Password:
    Sun Dec 22 13:24:27 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Sun Dec 22 13:24:27 2019 Need hold release from management interface, waiting...
    Sun Dec 22 13:24:27 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Sun Dec 22 13:24:27 2019 MANAGEMENT: CMD 'state on'
    Sun Dec 22 13:24:27 2019 MANAGEMENT: CMD 'log all on'
    Sun Dec 22 13:24:27 2019 MANAGEMENT: CMD 'hold off'
    Sun Dec 22 13:24:27 2019 MANAGEMENT: CMD 'hold release'
    Sun Dec 22 13:24:43 2019 MANAGEMENT: CMD 'username "Auth" "frederiekpascal"'
    Sun Dec 22 13:24:43 2019 MANAGEMENT: CMD 'password [...]'
    Sun Dec 22 13:24:43 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sun Dec 22 13:24:43 2019 MANAGEMENT: >STATE:1577017483,RESOLVE,,,,,,
    Sun Dec 22 13:24:43 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8443 [nonblock]
    Sun Dec 22 13:24:43 2019 MANAGEMENT: >STATE:1577017483,TCP_CONNECT,,,,,,
    Sun Dec 22 13:24:53 2019 TCP: connect to [AF_INET]84.197.138.2:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Sun Dec 22 13:24:58 2019 MANAGEMENT: >STATE:1577017498,RESOLVE,,,,,,
    Sun Dec 22 13:24:58 2019 MANAGEMENT: >STATE:1577017498,TCP_CONNECT,,,,,,

     

    I do have a question about something which is not clear for me.

     

    In the KB they mention this : 

     

    Defining local subnet and remote SSL VPN range

    Go to Hosts and Services > IP Host and define the local subnet behind Sophos Firewall.

     

    My question, the subnet you have to define, is that the current subnet you are using on your network? 

    I mean my ip is 192.168.0.66 at this moment, so the subnet is have to add in this section is 192.168.0.0? 

  • 0 in reply to Frederiek Pascal

    If you search on this forum, you will see 5 posts with the same problem as you, " failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive. ".

    Most of them fixed by changing the SSL VPN port to something else.

    Frederiek Pascal said:
    Sun Dec 22 13:24:53 2019 TCP: connect to [AF_INET]84.197.138.2:8443

    On your connection still 8443, change it to something else.

    From the posts here in the forum, 4 of them fixed this by changing the SSL VPN port.

    You will also found some people with the same error on the OpenVPN forums, most of them had this error because there has another service running on the same port, I don't know why this would happen on XG.

     

    Frederiek Pascal said:
    My question, the subnet you have to define, is that the current subnet you are using on your network? 

     

    Yes, It's correct, you need to define the subnet your current using on your LAN, and another one for SSLVPN.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    hi there,

    thnx for your answer

    I tried another port once cause you recommended that indeed, but it wasn't working either...

    So I switched it back to 8443 afterwards.

    I did it again now, here's the log :

    Sun Dec 22 14:06:36 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Sun Dec 22 14:06:36 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Enter Management Password:
    Sun Dec 22 14:06:36 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Sun Dec 22 14:06:36 2019 Need hold release from management interface, waiting...
    Sun Dec 22 14:06:36 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Sun Dec 22 14:06:36 2019 MANAGEMENT: CMD 'state on'
    Sun Dec 22 14:06:36 2019 MANAGEMENT: CMD 'log all on'
    Sun Dec 22 14:06:36 2019 MANAGEMENT: CMD 'hold off'
    Sun Dec 22 14:06:36 2019 MANAGEMENT: CMD 'hold release'
    Sun Dec 22 14:06:54 2019 MANAGEMENT: CMD 'username "Auth" "frederiekpascal"'
    Sun Dec 22 14:06:54 2019 MANAGEMENT: CMD 'password [...]'
    Sun Dec 22 14:06:54 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sun Dec 22 14:06:54 2019 MANAGEMENT: >STATE:1577020014,RESOLVE,,,,,,
    Sun Dec 22 14:06:54 2019 Attempting to establish TCP connection with [AF_INET]84.197.138.2:8449 [nonblock]
    Sun Dec 22 14:06:54 2019 MANAGEMENT: >STATE:1577020014,TCP_CONNECT,,,,,,
    Sun Dec 22 14:07:04 2019 TCP: connect to [AF_INET]84.197.138.2:8449 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Sun Dec 22 14:07:09 2019 MANAGEMENT: >STATE:1577020029,RESOLVE,,,,,,
    Sun Dec 22 14:07:09 2019 MANAGEMENT: >STATE:1577020029,TCP_CONNECT,,,,,,
    Sun Dec 22 14:07:19 2019 TCP: connect to [AF_INET]84.197.138.2:8449 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
    Sun Dec 22 14:07:24 2019 MANAGEMENT: >STATE:1577020044,RESOLVE,,,,,,
    Sun Dec 22 14:07:24 2019 MANAGEMENT: >STATE:1577020044,TCP_CONNECT,,,,,,

  • 0 in reply to Frederiek Pascal

    Well, that's strange, I can't reproduce this error on my XG. This error doesn't looks likes It's XG fault, It can be the client your using that's causing this.

    Well,

    One question, what client your using for the connection ? Your using the bundled client + config from the user portal, or you downloaded another client and just added the config?

    By the built date on the logs, looks like the client from the user portal.

    If It is, have you tried another client ?

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Hi there,

    I did the trial and error on a windows 10 laptop with the config & client from the user portal indeed.

    I'll try Tunnelblick on my Macbook and report to you :-) 

    thnx!

Reply Children
No Data
Unfiltered HTML