This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Access

Nazir Heravi 10 months ago

Hi guys,

Ich a question if someone cam help.

In sopgos xg I have created the ipsec tunnels between the head office and branchoffice.

But strangely I am not able to ping the branchoffice through ssl vpn but the I can.

I have checked the Fw rules and ssl policies everything looks fine.

Can someone give an idea

Best regards

Nazir

This thread was automatically locked due to age.

Top Replies

Adam Dodge 10 months ago +1 suggested

Hi Nazir Heravi , Correct me if I am wrong, but the way I understand it is that you would like to pass traffic from the remote SSL VPN to an existing IPsec tunnel. If yes, then this kb-article could…

0 Erick Jan 10 months ago
Hi Nazir,

Thank you for reaching out to Sophos Community.

I've moved the post to Sophos Firewall,

Let me ensure I understand you correctly. The SSL tunnel has been established, and the issue is Ping going to the branch office.

Kindly check the following

Is Ping turned on under Device Access for VPN?

Double-check if any Local ACL was created to drop VPN traffic

Have you created a Firewall Rule to allow ICMP services

Do the ranges don’t overlap with your internal subnet?

Check the log viewer

Do a packet capture to verify the traffic
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Nazir Heravi 10 months ago in reply to Erick Jan

Hi Erick,

thanks a lot form your kinded replay, I have dubble check the PING is active under the VPN also check there is no CLA active

the Firewall roul also looks good but still I am not able to ping the branch and head office
Cancel
Vote Up 0 Vote Down

Cancel
0 Erick Jan 10 months ago in reply to Nazir Heravi

Hi Nazir,

Thank you for the information.

Kindly do check it in the Log viewer and also do a GUI packet Capture to analyze the traffic.

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Nazir Heravi 10 months ago in reply to Erick Jan

HI Erick,

in GUI log viewer I see nothing, but in Packet capture I see the below information..
Cancel
Vote Up 0 Vote Down

Cancel
0 Erick Jan 10 months ago in reply to Nazir Heravi
Hi Nazir,

The packet is hitting Rule ID 38, Kindly check Rule ID or place the allow rule (VPN - LAN) on the very top.

Also, you may refer to the following KB

Packet capture
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Nazir Heravi 10 months ago in reply to Erick Jan

Dear Erick,

thanks for your kind support,

the Rule ID 38 is set on the very top and I have checked the Packet capture once more but it still has the same problem I am not pinging from SSL VPN the branch office but I can ping the main office when I allow WAN as the destination zoon I see in Packet capture that the rule ID 38 pop up ( one thing I want to mention that the Branch office is connected to with main office with IPsec tunnel. even I set the very top rule ID 38 with source zone any >any and destination zone any >any still not work see the 2 screenshot
Cancel
Vote Up 0 Vote Down

Cancel
0 CK1 10 months ago in reply to Nazir Heravi

Under Remote Access VPN > SSL VPN > Your Policy > Tunnel Access section, did you add the networks you want VPN clients to be able to see, both at main office and branch office?
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels 10 months ago

Hi, as said above, have you configured the SSL VPN pool inside the tunnel between branch office and head office? And also is het branch-office subnet included in het SSL VPN config?

Lastly you should also allow traffic from the branch office firewall so in branch office allow traffic from 10.242.2.0 subnet.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Cancel
0 Nazir Heravi 10 months ago in reply to apijnappels

Dear Apijnappels,

Thanks for your command, I have checked the above the SSL VPN pool is added inside the IPsec tunnel rule between the branch office and the head office. also, the head-branch office subnet is included in SSL VPN config under the tunnel access. but what I found strange when I checked the SSL VPN Claint log I see that the route is deleted see screenshot, please

If you like we can make a remote session
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels 10 months ago in reply to Nazir Heravi

Looks in the logs the routes are first deleted and then readded. Not sure why this happens, but as they are readded this should be good.

Have you also checked whether you have firewall rules in the branch office allowing traffic from SSL-pool to branch office LAN?

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Cancel