Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 3578 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect not working for an off site partner

Josh Rogalski

We are a Sophos XG 750 customer, we utilize Sophos Connect as our VPN for offsite connections.   We have a partner who is trying to connect using the client, and they are getting an error.  Everything seems to be the same except they are a business and we are unsure what their outbound firewall blocking policies are.  The error they get is something akin to:  "Policy mismatch error".  They opened up port 8443 so we are told.  Anyone have any advice on what the issue could be?  

Some of the errors from the log file state:

2023-11-07 16:29:18 Server poll timeout, restarting

2023-11-07 16:35:40 TLS Error: TLS key negotiation failed to occur within 60 seconds

   2023-11-07 16:35:40 TLS Error: TLS handshake failed



This thread was automatically locked due to age.
Parents
  • 0

    Hi Josh,

    I would like to understand more about your setup. I have a question:

    1. Are other users able to connect, and is this only happening to a specific user? 

    Here are some recommendations:

    1. Create a test user account for SSL VPN and let the partner redownload the VPN file and use the test user account to login
    2. Try connecting to the VPN using a different ISP

    If you would like to troubleshoot the issue further, you can check the logs (ref: Log file details - Sophos Firewall ) and check the sslvpn.log with the command (tail -f /log/sslvpn.log). Check the logs while the user is connecting to the VPN and experiencing the issue.  

    Hope to hear from you. 

  • 0 in reply to Adam Dodge

    The user in question works correctly on another machine outside of that auditor's network, and we have about 40 other people who all use Sophos Connect without issues.  I am wondering what outbound ports are necessary for that auditor to tell their IT department to open up?  I told them 8443 but are there others? 

Reply
  • 0 in reply to Adam Dodge

    The user in question works correctly on another machine outside of that auditor's network, and we have about 40 other people who all use Sophos Connect without issues.  I am wondering what outbound ports are necessary for that auditor to tell their IT department to open up?  I told them 8443 but are there others? 

Children
  • 0 in reply to Josh Rogalski

    depends on what is configured for the SSLVPN on the firewall.
    By default it is configured to TCP 8443, but it can be UDP too (or any other port), if selected.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • 0 in reply to Josh Rogalski

    This issue seems specific to your partner since other users can connect to the VPN. This could be an issue with the partner's ISP. As Kerobra mentioned, the default port configuration is 8443. Here is a packet capture when my host (10.201.208.83) is connecting to the VPN and no other ports was used for establishing the VPN

Unfiltered HTML