This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall single Official IP with NAT causes SSLVPN not to work

Hi everybody,

I have done an Update from SFOS 18 to SFOS 19 and since the Update I am not able to connecto to SSLVPN any more.

In CLI I can see that all incomming Packets are dropped for SSLVPN when running (drop-packet-capture "port 1194").

But I can access SSH and HTTPS Management from Internet.

So I guesss the Problem is somehow caused by having NAT-Rules on the same official IP (Mailserver Port 25 and HTTPS-Server Port 443) and therefore the Appliance does not accept running SSLVPN on Port 1194 or Port 8443.

I would appreciate if somebody has a Solution on that, as I only have one Official IP and SSLVPN is not working at all (neither Site2Site, nor Client-VPN)

In SFOS 18.5 exactly the same setup was working.

Thank you!

Markus

This thread was automatically locked due to age.

Top Replies

PhilippRusch over 1 year ago in reply to Markus Steinbauer +2

Hello Markus, can you please show us your settings like mine are here:

Parents

0 Markus Steinbauer over 1 year ago

Hi,

I am sorry for my late answer.

No, I have not been watching Howto's as this is not my only Firewall, but I have invested hours on rading KB Articles an Debugging on the Appliance.

@Erick: Thank yo for the Reply, but I am not able to pass to this Point. All Packets are dropped immediately, before the SSLVPN-Session is established - So I do not even get an IP within the VPN-Network.

@LuCar:

in dropped-packets log I can see something like this:
console> drop-packet-capture 'dst port 8443'
2023-01-30 13:23:25 0103021 IP 194.166.81.108.59611 > my.ip.v4.addr.8443 : proto UDP: packet len: 22 checksum : 9563
0x0000: 4500 002a 4e9a 4000 3911 aa50 c2a6 516c E..*N.@.9..P..Ql
0x0010: 5d53 d772 e8db 20fb 0016 255b 3801 801f ]S.r......%[8...
0x0020: bb64 2031 f400 0000 0000 .d.1......
Date=2023-01-30 Time=13:23:25 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=20:83:f8:9f:04:de dest_mac=00:1a:8c:37:6e:49 bridge_name= l3_protocol=IPv4 source_ip=194.166.81.108 dest_ip=my.ip.v4.addr l4_protocol=UDP source_port=59611 dest_port=8443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2584068600 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

2023-01-30 13:23:27 0103021 IP 194.166.81.108.59611 > my.ip.v4.addr.8443 : proto UDP: packet len: 22 checksum : 9563
0x0000: 4500 002a 4ede 4000 3911 aa0c c2a6 516c E..*N.@.9.....Ql
0x0010: 5d53 d772 e8db 20fb 0016 255b 3801 801f ]S.r......%[8...
0x0020: bb64 2031 f400 0000 0000 .d.1......
Date=2023-01-30 Time=13:23:27 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=20:83:f8:9f:04:de dest_mac=00:1a:8c:37:6e:49 bridge_name= l3_protocol=IPv4 source_ip=194.166.81.108 dest_ip=my.ip.v4.addr l4_protocol=UDP source_port=59611 dest_port=8443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2584068600 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

when looking to tcpdump i can also see that the Packets arrive:

SFVH_SO01_SFOS 19.0.1 MR-1-Build365# tcpdump "port 8443"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
13:26:15.576985 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
13:26:17.900527 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
13:26:21.388821 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
13:26:29.556703 Port2, IN: IP my.client.ip.addr.60054 > my.ip.v4.addr.8443: UDP, length 14
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Markus Steinbauer

Do you have SSLVPN enabled on WAN Zone in Device Access?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Markus Steinbauer over 1 year ago in reply to LuCar Toni

Thank you for the Reply.

Yes, it is enabled and I also tried multiple times to turn it off and on again.

Best Regards, Markus
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Markus Steinbauer over 1 year ago in reply to LuCar Toni

Thank you for the Reply.

Yes, it is enabled and I also tried multiple times to turn it off and on again.

Best Regards, Markus
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data