SSL-VPN

Dear all,

I am not able to connect my Internal Network through SSL-VPN can someone help me where the Problem is?

here is the log file 

Mon Nov 01 16:28:11 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Nov 01 16:28:11 2021 Attempting to establish TCP connection with [AF_INET]192.168.10.2:8443 [nonblock]
Mon Nov 01 16:28:11 2021 MANAGEMENT: >STATE:1635780491,TCP_CONNECT,,,,,,
Mon Nov 01 16:28:12 2021 TCP connection established with [AF_INET]192.168.10.2:8443
Mon Nov 01 16:28:12 2021 TCPv4_CLIENT link local: [undef]
Mon Nov 01 16:28:12 2021 TCPv4_CLIENT link remote: [AF_INET]192.168.10.2:8443
Mon Nov 01 16:28:12 2021 MANAGEMENT: >STATE:1635780492,WAIT,,,,,,
Mon Nov 01 16:28:12 2021 MANAGEMENT: >STATE:1635780492,AUTH,,,,,,
Mon Nov 01 16:28:12 2021 TLS: Initial packet from [AF_INET]192.168.10.2:8443, sid=76a04405 ce282c32
Mon Nov 01 16:28:12 2021 VERIFY OK: depth=1, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Default_CA_IhUBaUk0QMxUMzm, emailAddress=na@example.com
Mon Nov 01 16:28:12 2021 VERIFY X509NAME OK: C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_Msmuj2KJdzamsAo, emailAddress=na@example.com
Mon Nov 01 16:28:12 2021 VERIFY OK: depth=0, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_Msmuj2KJdzamsAo, emailAddress=na@example.com
Mon Nov 01 16:28:13 2021 Connection reset, restarting [0]
Mon Nov 01 16:28:13 2021 SIGUSR1[soft,connection-reset] received, process restarting
Mon Nov 01 16:28:13 2021 MANAGEMENT: >STATE:1635780493,RECONNECTING,connection-reset,,,,,
Mon Nov 01 16:28:13 2021 Restart pause, 5 second(s)



Added TAGs
[edited by: emmosophos at 5:53 PM (GMT -7) on 1 Nov 2021]

Top Replies

  • Hello Nazir,

    Thank you for contacting the Sophos Community.

    The logs don't show the SSL VPN trying to connect to any Public IP, but rather Private IPs, (unless you tried to obscure the Public IPs), does your XG has a Public IP?

    If not, you’ll need to find the Public IP of the upstream device, and add that to the SSL VPN Override hostname (Configure >> VPN >> Show VPN Settings >> Override hostname.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello, 

    before XG-Firewall I have a router and below is my WAN subnet in xg firewall.

  • Hi ,

    Is an upstream router(ISP) configured with static IP or PPPoE?

    If it’s configured with static IP then define 'Override hostname' with that IP in SSL VPN settings on the XG firewall.

    For PPPoE with dynamic IP, you may configure dynamic DNS and use it to connect to SSL VPN.

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hello Yash,

    thanks for your comment, actually I don't know what you mean with dynamic DNS and where I have to create that. here is my network Diagram and IP infrastructure. can you please tell me what should I do and where I have to create a DDNS?

    Regards

    Nazir

  • Hi ,

    You can get the Dynamic DNS (DDNS) from supported(by XG) third-party DDNS providers and can use it to connect to SSL VPN.

    Once you have got the DDNS, you can add it to Sophos firewall and can map it with NATed public IP.

    Dynamic DNS

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hi Yash,

    as you meantioned I have createt a DDNS but still I have the same Problem.

    Wed Nov 03 22:51:06 2021 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Wed Nov 03 22:51:06 2021 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Enter Management Password:
    Wed Nov 03 22:51:06 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
    Wed Nov 03 22:51:06 2021 Need hold release from management interface, waiting...
    Wed Nov 03 22:51:06 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
    Wed Nov 03 22:51:06 2021 MANAGEMENT: CMD 'state on'
    Wed Nov 03 22:51:06 2021 MANAGEMENT: CMD 'log all on'
    Wed Nov 03 22:51:06 2021 MANAGEMENT: CMD 'hold off'
    Wed Nov 03 22:51:06 2021 MANAGEMENT: CMD 'hold release'
    Wed Nov 03 22:51:15 2021 MANAGEMENT: CMD 'username "Auth" "nheravi"'
    Wed Nov 03 22:51:15 2021 MANAGEMENT: CMD 'password [...]'
    Wed Nov 03 22:51:15 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Nov 03 22:51:15 2021 Attempting to establish TCP connection with [AF_INET]192.168.10.2:8443 [nonblock]
    Wed Nov 03 22:51:15 2021 MANAGEMENT: >STATE:1635976275,TCP_CONNECT,,,,,,
    Wed Nov 03 22:51:25 2021 TCP: connect to [AF_INET]192.168.10.2:8443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.
    Wed Nov 03 22:51:25 2021 SIGUSR1[soft,init_instance] received, process restarting
    Wed Nov 03 22:51:25 2021 MANAGEMENT: >STATE:1635976285,RECONNECTING,init_instance,,,,,
    Wed Nov 03 22:51:25 2021 Restart pause, 5 second(s)
    Wed Nov 03 22:51:30 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Nov 03 22:51:30 2021 Attempting to establish TCP connection with [AF_INET]192.168.20.101:8443 [nonblock]
    Wed Nov 03 22:51:30 2021 MANAGEMENT: >STATE:1635976290,TCP_CONNECT,,,,,,
    Wed Nov 03 22:51:40 2021 TCP: connect to [AF_INET]192.168.20.101:8443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.
    Wed Nov 03 22:51:40 2021 SIGUSR1[soft,init_instance] received, process restarting
    Wed Nov 03 22:51:40 2021 MANAGEMENT: >STATE:1635976300,RECONNECTING,init_instance,,,,,
    Wed Nov 03 22:51:40 2021 Restart pause, 5 second(s)
    Wed Nov 03 22:51:45 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Nov 03 22:51:45 2021 Attempting to establish TCP connection with [AF_INET]10.255.0.1:8443 [nonblock]
    Wed Nov 03 22:51:45 2021 MANAGEMENT: >STATE:1635976305,TCP_CONNECT,,,,,,
    Wed Nov 03 22:51:55 2021 TCP: connect to [AF_INET]10.255.0.1:8443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.
    Wed Nov 03 22:51:55 2021 SIGUSR1[soft,init_instance] received, process restarting
    Wed Nov 03 22:51:55 2021 MANAGEMENT: >STATE:1635976315,RECONNECTING,init_instance,,,,,
    Wed Nov 03 22:51:55 2021 Restart pause, 5 second(s)
    Wed Nov 03 22:52:00 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Nov 03 22:52:00 2021 Attempting to establish TCP connection with [AF_INET]192.168.10.2:8443 [nonblock]
    Wed Nov 03 22:52:00 2021 MANAGEMENT: >STATE:1635976320,TCP_CONNECT,,,,,,
    Wed Nov 03 22:52:09 2021 SIGTERM[hard,init_instance] received, process exiting
    Wed Nov 03 22:52:09 2021 MANAGEMENT: >STATE:1635976329,EXITING,init_instance,,,,,

  • Hi ,

    You'll need to re-install the user configuration file after configuring DDNS on Sophos XG. You can also define DDNS hostname as an override hostname in SSL VPN settings.

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hi Yash, 

    I have apply your instration, but unfortunately it still not working what I think maybe it did not resolve the IPV6 when I ping the DNS from outside it show me IPV6 see below.

  • I did DNS lookup and got the correct IP address for starroute.ddns.net

    > server 8.8.8.8
    Default Server: dns.google
    Address: 8.8.8.8

    > starroute.ddns.net
    Server: dns.google
    Address: 8.8.8.8

    Non-authoritative answer:
    Name: starroute.ddns.net
    Address: 80.145.240.133

    Ensure that you have a NAT rule(port forwarding) configured on the ISP router for SSL VPN port 8443

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hi Yash, 

    ich have did the NAT to the ISP router but still dosent work even I have chnage the Port from 8443 to 443 but still the same problem.

    I think there should be a problem with the confuguration of VPN, becouse even I can not connect to SSL VPN from my local network.

    Regards

    Nazir