Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Client can connect but no traffic is generated to VPN zone

Hi all,

I was able to use SSL VPN properly with Sophos XG v19. Now I've upgraded to v20 and I'm experiencing issue with SSL VPN.

To setup the SSL VPN I followed this guide: https://techvids.sophos.com/watch/wtqMJE1La6TkFjAiaT2d3H

I draw a network scheme to better explain how the network is configured:

I'm using an iPhone with OpenVPN installed as a client. It can connect and authenticate properly, the OpenVPN iPhone app shows that XG assigned the IP 10.10.70.1

I've a firewall rule that allow traffic from VPN to DMZ,WAN and LAN:

In the firewall log I can't see any traffic generated through the VPN, traffic flows regularly into the XG on port 8443 (I've check with tcpdump ssh-ing into XG firewall).

I've also tried to attach a Linked NAT rule to Masquerade (MASQ) all traffic that comes from VPN zone. The client can't reach any DMZ hosts neither any internet host (I would like to use the VPN as the default gateway).

Can anyone help me to solve this issue?

Thanks in advance



This thread was automatically locked due to age.
Parents
  • Hi Angelone,

    Thank you for reaching out to Sophos Community.

    We regret to hear about your experience. Let me ensure I understand you correctly.

    Your SSL VPN was working properly before the upgrade to version 20. 

    How about packet capture? Any traffic generated?

    I recommend contacting Sophos Support to check this issue further, and kindly share the case ID here. 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Erick,

    SSL VPN was working properly with v19.5.

    Regarding to the packet capture, using "port 8443" as BPF string I see traffic that comes into the firewall but I cannot see any traffic through the itun0 interface (I've checked using tcpdump).

    If this can help I needed to comment out the string "comp-lzo no" in the ovpn file otherwise the iPhone gave me the error "server pushed compression settings that are not allowed and will result in a non-working connection".

    Thanks for your help.

Reply
  • Hi Erick,

    SSL VPN was working properly with v19.5.

    Regarding to the packet capture, using "port 8443" as BPF string I see traffic that comes into the firewall but I cannot see any traffic through the itun0 interface (I've checked using tcpdump).

    If this can help I needed to comment out the string "comp-lzo no" in the ovpn file otherwise the iPhone gave me the error "server pushed compression settings that are not allowed and will result in a non-working connection".

    Thanks for your help.

Children