Firewall single Official IP with NAT causes SSLVPN not to work

Can you show us an packet capture from the Webadmin under Packet-capture? Then check for the port under bpf string. 

Hi Markus,

Thank you for reaching out to Sophos Community.

Have you tried to use any how-to videos, documentation, Sophos Assistant, or KBA to try to check the issue?

Also, In addition, can you also check the IP4 lease range setting in the SSL VPN? Kindly see the reference below. 

Sophos Firewall: SSL VPN "IPv4 lease range" changes in SFOS 19

Hi,

I am sorry for my late answer.

No, I have not been watching Howto's as this is not my only Firewall, but I have invested hours on rading KB Articles an Debugging on the Appliance.

@Erick: Thank yo for the Reply, but I am not able to pass to this Point. All Packets are dropped immediately, before the SSLVPN-Session is established - So I do not even get an IP within the VPN-Network.

@LuCar:

in dropped-packets log I can see something like this:
console> drop-packet-capture 'dst port 8443'
2023-01-30 13:23:25 0103021 IP 194.166.81.108.59611 > my.ip.v4.addr.8443 : proto UDP: packet len: 22 checksum : 9563
0x0000:  4500 002a 4e9a 4000 3911 aa50 c2a6 516c  E..*N.@.9..P..Ql
0x0010:  5d53 d772 e8db 20fb 0016 255b 3801 801f  ]S.r......%[8...
0x0020:  bb64 2031 f400 0000 0000                 .d.1......
Date=2023-01-30 Time=13:23:25 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=20:83:f8:9f:04:de dest_mac=00:1a:8c:37:6e:49 bridge_name= l3_protocol=IPv4 source_ip=194.166.81.108 dest_ip=my.ip.v4.addr l4_protocol=UDP source_port=59611 dest_port=8443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2584068600 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

2023-01-30 13:23:27 0103021 IP 194.166.81.108.59611 > my.ip.v4.addr.8443 : proto UDP: packet len: 22 checksum : 9563
0x0000:  4500 002a 4ede 4000 3911 aa0c c2a6 516c  E..*N.@.9.....Ql
0x0010:  5d53 d772 e8db 20fb 0016 255b 3801 801f  ]S.r......%[8...
0x0020:  bb64 2031 f400 0000 0000                 .d.1......
Date=2023-01-30 Time=13:23:27 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=20:83:f8:9f:04:de dest_mac=00:1a:8c:37:6e:49 bridge_name= l3_protocol=IPv4 source_ip=194.166.81.108 dest_ip=my.ip.v4.addr l4_protocol=UDP source_port=59611 dest_port=8443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2584068600 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

when looking to tcpdump i can also see that the Packets arrive:

SFVH_SO01_SFOS 19.0.1 MR-1-Build365# tcpdump "port 8443"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
13:26:15.576985 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
13:26:17.900527 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
13:26:21.388821 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
13:26:29.556703 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

Do you have SSLVPN enabled on WAN Zone in Device Access? 

Hello Markus,

can you please show us your settings like mine are here:

Hi,

I currently do not have a Screenshot here, but I can tell you.

Protocol is UDP, not TCP

As Certificate I use the Default Appliance Cert.
Port is 8443

The IPv4 is set to some 10.x.x.x Subnet - I hope it does not matter if it is in Use in another Zone (LAN or WAN).

I am not using IPv6, so there is just some IP set as it is required.

Lease Mode: IPv4 only

Use Static IP Address is not checked.

Thank you for the Reply.

Yes, it is enabled and I also tried multiple times to turn it off and on again.

Best Regards, Markus

Now I updated to Sophos 19.5 as I expected a Solution in the new Version.

Now it states out that sslvpn Service is down - I already generated a new Certificate and assigned it in SSLVPN-Settings, but the Service keeps down with these Messages in sslvpn.log:

2023-02-11 16:00:47Z [22655] OpenVPN 2.4.7 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  8 2022
2023-02-11 16:00:47Z [22655] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.09
2023-02-11 16:00:47Z [22655] Error reading from nsgenc while decrypting, length 0
: No such file or directory (errno=2)
2023-02-11 16:00:47Z [22655] Exiting due to fatal error

Does anybody have an Idea? From my point of View I think there is no Certificate in Place, even if it is.

thank you for any replies!

Markus

So now as described in the Post below, this is the current config:

In the Meantime I changed the Port back from 8443 to 1194.

And I tried with TCP and UDP.

But as mentioned in the Post below since updating to Sophos 19.5 the Service does not start any more at all.

I appreciate any recommendation.

Thank you!

Markus

Hi,

I think I managed to solve it on my own after enabeling Debug Mode on Management Interface and checking /log/sslvpn.log in advanced shell.

The Reason was that a unused SSLVPN-Client config was still in Place, but maybe was not migrated propperly and due to that the SSLVPN Service crashed all the time as a File could not be found.

After deletion of Site-to-Site SSLVPN Configs (Client and Server) the Service started again.

Anyway: thank you for the Hints!

best Regards,

Markus