Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 38 subscribers
  • Views 2048 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLVPN not allowing single VPN subnet

Elizabeth Owen

I have an SSLVPN profile set up for my remote users

In the permissioned networks I have only our office supernet.

When connected to the SSLVPN I can reach other resources through our Site-to-Site IPSec VPNs. These subnets are not encompassed in our office supernet, and are not defined in our SSLVPN profile.

There is one Site-to-site IPSec VPN tunnel that I cannot reach while connected to the Client SSLVPN. When I do a packet capture I get an SSL VPN Violation.

I have a couple of questions:

1) Why is this subnet different than our other IPSec subnets? Am I missing a definition or a zone or a detail that would stop our firewall from allowing us to reach it? Any tips for a direction to start looking in would be greatly appreciated.

2) If I add this one VPN subnet to our SSLVPN Profile will all of my users have to re-download their config files again? This really isn't an option for me as I have hundreds of users.

Thanks for your time.



This thread was automatically locked due to age.
Parents
  • FormerMember
    +1 FormerMember

    Hey Elizabeth, Thanks for reaching out to Sophos Community.

    SSL VPN violation usually points that the requested IP address wasn't allowed to be accessed by the SSL VPN Policy. It would be good if you share the network information about the supernet and the IP that is not getting accessed. You can choose to use a different network with a similar subnet if you don't want to share the exact network information.

    Elizabeth Owen said:
    2) If I add this one VPN subnet to our SSLVPN Profile will all of my users have to re-download their config files again? This really isn't an option for me as I have hundreds of users.

    The answer to this would be No, You don't need to re-download the config files if you make changes in "Permitted network resources" under the SSL VPN Policy. Permitted network information is pushed after a successful SSL VPN authentication.

  • 0 in reply to FormerMember

    Under the Permitted networks in our SSLVPN Policy we have:

    192.168.0.0/16

    The VPN subnet that is NOT accessible is:

    172.16.0.0/16

    An example of a VPN subnet that IS accessible (and not listed under permitted networks):

    10.75.0.0/16

  • FormerMember
    0 FormerMember in reply to Elizabeth Owen

    Hi ,

    Could you please help me with the below information?

    ==> Is 'Use as default gateway' enabled in SSL VPN remote access policy?

    ==> Were there any changes done in the SSL VPN remote access policy?

    ==> Did you remove 10.75.0.0/16 network recently from Permitted network resources (IPv4)?

    ==> Share an output of the below command from the end machine after connecting the SSL VPN client.

    Open the command prompt and enter below command

    C:\Users\test>route print

  • 0 in reply to FormerMember

    ==> Is 'Use as default gateway' enabled in SSL VPN remote access policy?

    Yes

    ==> Were there any changes done in the SSL VPN remote access policy?

    No

    ==> Did you remove 10.75.0.0/16 network recently from Permitted network resources (IPv4)?

    No, it was never in the permitted network resources. The only one that was ever in there was 192.168.0.0/16

    ==> Share an output of the below command from the end machine after connecting the SSL VPN client.


    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.200.1.1 10.200.1.148 35
    0.0.0.0 128.0.0.0 192.168.50.5 192.168.50.26 258
    192.168.50.0 255.255.254.0 On-link 192.168.50.26 258
    192.168.50.26 255.255.255.255 On-link 192.168.50.26 258
    192.168.51.255 255.255.255.255 On-link 192.168.50.26 258
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    128.0.0.0 128.0.0.0 192.168.50.5 192.168.50.26 258
    FW PUBLIC IP 255.255.255.255 10.200.1.1 10.200.1.148 291
    169.254.0.0 255.255.0.0 On-link 169.254.14.34 281
    169.254.14.34 255.255.255.255 On-link 169.254.14.34 281
    169.254.255.255 255.255.255.255 On-link 169.254.14.34 281
    172.21.240.0 255.255.240.0 On-link 172.21.240.1 271
    172.21.240.1 255.255.255.255 On-link 172.21.240.1 271
    172.21.255.255 255.255.255.255 On-link 172.21.240.1 271
    10.200.1.0 255.255.255.0 On-link 10.200.1.148 291
    10.200.1.148 255.255.255.255 On-link 10.200.1.148 291
    10.200.1.255 255.255.255.255 On-link 10.200.1.148 291
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 10.200.1.148 291
    224.0.0.0 240.0.0.0 On-link 169.254.14.34 281
    224.0.0.0 240.0.0.0 On-link 192.168.50.26 258
    224.0.0.0 240.0.0.0 On-link 172.21.240.1 271
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 10.200.1.148 291
    255.255.255.255 255.255.255.255 On-link 169.254.14.34 281
    255.255.255.255 255.255.255.255 On-link 192.168.50.26 258
    255.255.255.255 255.255.255.255 On-link 172.21.240.1 271
    ===========================================================================
    Persistent Routes:
    None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination Gateway
    1 331 ::1/128 On-link
    4 258 fe80::/64 On-link
    58 271 fe80::/64 On-link
    4 258 fe80::c8b1:839b:a46f:63ee/128
    On-link
    58 271 fe80::fc5e:3b41:e248:48f/128
    On-link
    1 331 ff00::/8 On-link
    4 258 ff00::/8 On-link
    58 271 ff00::/8 On-link
    ===========================================================================
    Persistent Routes:
    None

Reply
  • 0 in reply to FormerMember

    ==> Is 'Use as default gateway' enabled in SSL VPN remote access policy?

    Yes

    ==> Were there any changes done in the SSL VPN remote access policy?

    No

    ==> Did you remove 10.75.0.0/16 network recently from Permitted network resources (IPv4)?

    No, it was never in the permitted network resources. The only one that was ever in there was 192.168.0.0/16

    ==> Share an output of the below command from the end machine after connecting the SSL VPN client.


    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.200.1.1 10.200.1.148 35
    0.0.0.0 128.0.0.0 192.168.50.5 192.168.50.26 258
    192.168.50.0 255.255.254.0 On-link 192.168.50.26 258
    192.168.50.26 255.255.255.255 On-link 192.168.50.26 258
    192.168.51.255 255.255.255.255 On-link 192.168.50.26 258
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    128.0.0.0 128.0.0.0 192.168.50.5 192.168.50.26 258
    FW PUBLIC IP 255.255.255.255 10.200.1.1 10.200.1.148 291
    169.254.0.0 255.255.0.0 On-link 169.254.14.34 281
    169.254.14.34 255.255.255.255 On-link 169.254.14.34 281
    169.254.255.255 255.255.255.255 On-link 169.254.14.34 281
    172.21.240.0 255.255.240.0 On-link 172.21.240.1 271
    172.21.240.1 255.255.255.255 On-link 172.21.240.1 271
    172.21.255.255 255.255.255.255 On-link 172.21.240.1 271
    10.200.1.0 255.255.255.0 On-link 10.200.1.148 291
    10.200.1.148 255.255.255.255 On-link 10.200.1.148 291
    10.200.1.255 255.255.255.255 On-link 10.200.1.148 291
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 10.200.1.148 291
    224.0.0.0 240.0.0.0 On-link 169.254.14.34 281
    224.0.0.0 240.0.0.0 On-link 192.168.50.26 258
    224.0.0.0 240.0.0.0 On-link 172.21.240.1 271
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 10.200.1.148 291
    255.255.255.255 255.255.255.255 On-link 169.254.14.34 281
    255.255.255.255 255.255.255.255 On-link 192.168.50.26 258
    255.255.255.255 255.255.255.255 On-link 172.21.240.1 271
    ===========================================================================
    Persistent Routes:
    None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination Gateway
    1 331 ::1/128 On-link
    4 258 fe80::/64 On-link
    58 271 fe80::/64 On-link
    4 258 fe80::c8b1:839b:a46f:63ee/128
    On-link
    58 271 fe80::fc5e:3b41:e248:48f/128
    On-link
    1 331 ff00::/8 On-link
    4 258 ff00::/8 On-link
    58 271 ff00::/8 On-link
    ===========================================================================
    Persistent Routes:
    None

Children
Unfiltered HTML