Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 2456 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall single Official IP with NAT causes SSLVPN not to work

Markus Steinbauer

Hi everybody,

I have done an Update from SFOS 18 to SFOS 19 and since the Update I am not able to connecto to SSLVPN any more.

In CLI I can see that all incomming Packets are dropped for SSLVPN when running (drop-packet-capture "port 1194").

But I can access SSH and HTTPS Management from Internet.

So I guesss the Problem is somehow caused by having NAT-Rules on the same official IP (Mailserver Port 25 and HTTPS-Server Port 443) and therefore the Appliance does not accept running SSLVPN on Port 1194 or Port 8443.

I would appreciate if somebody has a Solution on that, as I only have one Official IP and SSLVPN is not working at all (neither Site2Site, nor Client-VPN)

In SFOS 18.5 exactly the same setup was working.

Thank you!

Markus



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I am sorry for my late answer.

    No, I have not been watching Howto's as this is not my only Firewall, but I have invested hours on rading KB Articles an Debugging on the Appliance.

    @Erick: Thank yo for the Reply, but I am not able to pass to this Point. All Packets are dropped immediately, before the SSLVPN-Session is established - So I do not even get an IP within the VPN-Network.

    @LuCar:

    in dropped-packets log I can see something like this:
    console> drop-packet-capture 'dst port 8443'
    2023-01-30 13:23:25 0103021 IP 194.166.81.108.59611 > my.ip.v4.addr.8443 : proto UDP: packet len: 22 checksum : 9563
    0x0000:  4500 002a 4e9a 4000 3911 aa50 c2a6 516c  E..*N.@.9..P..Ql
    0x0010:  5d53 d772 e8db 20fb 0016 255b 3801 801f  ]S.r......%[8...
    0x0020:  bb64 2031 f400 0000 0000                 .d.1......
    Date=2023-01-30 Time=13:23:25 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=20:83:f8:9f:04:de dest_mac=00:1a:8c:37:6e:49 bridge_name= l3_protocol=IPv4 source_ip=194.166.81.108 dest_ip=my.ip.v4.addr l4_protocol=UDP source_port=59611 dest_port=8443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2584068600 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    2023-01-30 13:23:27 0103021 IP 194.166.81.108.59611 > my.ip.v4.addr.8443 : proto UDP: packet len: 22 checksum : 9563
    0x0000:  4500 002a 4ede 4000 3911 aa0c c2a6 516c  E..*N.@.9.....Ql
    0x0010:  5d53 d772 e8db 20fb 0016 255b 3801 801f  ]S.r......%[8...
    0x0020:  bb64 2031 f400 0000 0000                 .d.1......
    Date=2023-01-30 Time=13:23:27 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=20:83:f8:9f:04:de dest_mac=00:1a:8c:37:6e:49 bridge_name= l3_protocol=IPv4 source_ip=194.166.81.108 dest_ip=my.ip.v4.addr l4_protocol=UDP source_port=59611 dest_port=8443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2584068600 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    when looking to tcpdump i can also see that the Packets arrive:

    SFVH_SO01_SFOS 19.0.1 MR-1-Build365# tcpdump "port 8443"
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    13:26:15.576985 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
    13:26:17.900527 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
    13:26:21.388821 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
    13:26:29.556703 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
    ^C
    4 packets captured
    4 packets received by filter
    0 packets dropped by kernel

Reply
  • 0

    Hi,

    I am sorry for my late answer.

    No, I have not been watching Howto's as this is not my only Firewall, but I have invested hours on rading KB Articles an Debugging on the Appliance.

    @Erick: Thank yo for the Reply, but I am not able to pass to this Point. All Packets are dropped immediately, before the SSLVPN-Session is established - So I do not even get an IP within the VPN-Network.

    @LuCar:

    in dropped-packets log I can see something like this:
    console> drop-packet-capture 'dst port 8443'
    2023-01-30 13:23:25 0103021 IP 194.166.81.108.59611 > my.ip.v4.addr.8443 : proto UDP: packet len: 22 checksum : 9563
    0x0000:  4500 002a 4e9a 4000 3911 aa50 c2a6 516c  E..*N.@.9..P..Ql
    0x0010:  5d53 d772 e8db 20fb 0016 255b 3801 801f  ]S.r......%[8...
    0x0020:  bb64 2031 f400 0000 0000                 .d.1......
    Date=2023-01-30 Time=13:23:25 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=20:83:f8:9f:04:de dest_mac=00:1a:8c:37:6e:49 bridge_name= l3_protocol=IPv4 source_ip=194.166.81.108 dest_ip=my.ip.v4.addr l4_protocol=UDP source_port=59611 dest_port=8443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2584068600 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    2023-01-30 13:23:27 0103021 IP 194.166.81.108.59611 > my.ip.v4.addr.8443 : proto UDP: packet len: 22 checksum : 9563
    0x0000:  4500 002a 4ede 4000 3911 aa0c c2a6 516c  E..*N.@.9.....Ql
    0x0010:  5d53 d772 e8db 20fb 0016 255b 3801 801f  ]S.r......%[8...
    0x0020:  bb64 2031 f400 0000 0000                 .d.1......
    Date=2023-01-30 Time=13:23:27 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=20:83:f8:9f:04:de dest_mac=00:1a:8c:37:6e:49 bridge_name= l3_protocol=IPv4 source_ip=194.166.81.108 dest_ip=my.ip.v4.addr l4_protocol=UDP source_port=59611 dest_port=8443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2584068600 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    when looking to tcpdump i can also see that the Packets arrive:

    SFVH_SO01_SFOS 19.0.1 MR-1-Build365# tcpdump "port 8443"
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    13:26:15.576985 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
    13:26:17.900527 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
    13:26:21.388821 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
    13:26:29.556703 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
    ^C
    4 packets captured
    4 packets received by filter
    0 packets dropped by kernel

Children
  • 0 in reply to Markus Steinbauer

    Do you have SSLVPN enabled on WAN Zone in Device Access? 

    __________________________________________________________________________________________________________________

  • 0 in reply to Markus Steinbauer

    Hello Markus,

    can you please show us your settings like mine are here:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hi,

    I currently do not have a Screenshot here, but I can tell you.

    Protocol is UDP, not TCP

    As Certificate I use the Default Appliance Cert.
    Port is 8443

    The IPv4 is set to some 10.x.x.x Subnet - I hope it does not matter if it is in Use in another Zone (LAN or WAN).

    I am not using IPv6, so there is just some IP set as it is required.

    Lease Mode: IPv4 only

    Use Static IP Address is not checked.

  • 0 in reply to LuCar Toni

    Thank you for the Reply.

    Yes, it is enabled and I also tried multiple times to turn it off and on again.

    Best Regards, Markus

  • 0 in reply to Markus Steinbauer

    Now I updated to Sophos 19.5 as I expected a Solution in the new Version.

    Now it states out that sslvpn Service is down - I already generated a new Certificate and assigned it in SSLVPN-Settings, but the Service keeps down with these Messages in sslvpn.log:

    2023-02-11 16:00:47Z [22655] OpenVPN 2.4.7 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  8 2022
    2023-02-11 16:00:47Z [22655] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.09
    2023-02-11 16:00:47Z [22655] Error reading from nsgenc while decrypting, length 0
    : No such file or directory (errno=2)
    2023-02-11 16:00:47Z [22655] Exiting due to fatal error

    Does anybody have an Idea? From my point of View I think there is no Certificate in Place, even if it is.

    thank you for any replies!

    Markus

  • 0 in reply to PhilippRusch

    So now as described in the Post below, this is the current config:

    In the Meantime I changed the Port back from 8443 to 1194.

    And I tried with TCP and UDP.

    But as mentioned in the Post below since updating to Sophos 19.5 the Service does not start any more at all.

    I appreciate any recommendation.

    Thank you!

    Markus

  • +1 in reply to PhilippRusch

    Hi,

    I think I managed to solve it on my own after enabeling Debug Mode on Management Interface and checking /log/sslvpn.log in advanced shell.

    The Reason was that a unused SSLVPN-Client config was still in Place, but maybe was not migrated propperly and due to that the SSLVPN Service crashed all the time as a File could not be found.

    After deletion of Site-to-Site SSLVPN Configs (Client and Server) the Service started again.

    Anyway: thank you for the Hints!

    best Regards,

    Markus

Unfiltered HTML