Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 2478 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Traffic through SD-WAN Selected Gateway Times Out

John Groller

Good evening!

I have Remote SSL VPN setup, and I can connect to it no problem.  The network address for these clients are 192.168.3.0/24.  Below are my three policies for allowing traffic from the VPN zone to the WAN, LAN, and DMZ zones.

Here are my gateways:

The top two gateways are on a separate VLAN (6).  They are connections to a VPN provider in different locales.  Let's call them VPN1 and VPN2.  The third gateway is my ISP gateway, let's call that ISP1.

Below is my SD-WAN configuration.  Everything works great, except for #6.  That's the rule where I want to route traffic from the SSL VPN to VPN1 and VPN2.

Here's that rule in detail:

When I attempt to access any web page while connected to the SSL VPN, it hangs for a REALLY long time and eventually times out.  If I change "Primary Gateway" to ISP1, then everything works fine.  So, I know the rule is matching... but something about routing traffic to VPN1 and VPN2 is failing.

I've spun my wheels a lot on this and could use some ideas.



This thread was automatically locked due to age.
  • 0

    Hi  ,

    Thank you for reaching out to the community, the Port used for the SSL VPN might be filtering on another ISP, have you checked that ?
    You can use the following site: https://www.ipfingerprints.com/portscan.php
    For TCP Port you enter the start and end Port of the SSL VPN Port 
    For the UDP Port select the option advance and enable the UDP Scan

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thank you for your reply, and apologies for taking a while to respond.  Sophos flagged me as abusive for some reason... and then I went out of town.  I'm back now, and unflagged!

    I'm not sure I understand what you are suggesting.  I've checked ipfingerprints.com, and as expected, the VPN port is listening.  I can connect to my VPN just fine.  The problem is routing that vpn traffic out through a specific gateway.  One of the gateways works, but the other two don't.  The two that don't DO work for all other hosts on the network... just not VPN traffic.

    PORT     STATE SERVICE
    
8443/tcp open  https-alt

    Can you elaborate more on what you think the problem is?

  • +1 in reply to John Groller

    I got it working.

    The two VPNs gateways were defined as gateways on a zone interface which itself did not have a gateway defined.  Once I converted the interface to a WAN zone interface and specified a gateway for it, I was able begin routing the VPN traffic through it without any issue.

    I guess it all makes sense... except for the fact that NONE of the other devices on my network had issue with this, only SSL VPN traffic.  So, I don't fully understand why I had to do this... but I'm glad to report that it's now working.

  • 0 in reply to John Groller

    I don't really like this solution having worked with it a bit more.  These aren't really "WAN" connections, as they are sitting internally... so any WAN interface created has to use these internal hosts as gateways, who in turn use that WAN Interface for connecting to the internet.  It ends up being a sloppy mess of circular talk, it seems... and it doesn't work well with reboots.  A cat and mouse sort of thing.

    So, I think I'd still prefer the custom gateway solution and routing traffic through these internal hosts.  This works for everything but SSL Remote Clients.  Definitely still open to other ideas for getting this setup cleanly.

Unfiltered HTML