SSL VPN Client can connect but no traffic is generated to VPN zone

Hi Angelone,

Thank you for reaching out to Sophos Community.

We regret to hear about your experience. Let me ensure I understand you correctly.

Your SSL VPN was working properly before the upgrade to version 20. 

How about packet capture? Any traffic generated?

I recommend contacting Sophos Support to check this issue further, and kindly share the case ID here. 

Hi Erick,

SSL VPN was working properly with v19.5.

Regarding to the packet capture, using "port 8443" as BPF string I see traffic that comes into the firewall but I cannot see any traffic through the itun0 interface (I've checked using tcpdump).

If this can help I needed to comment out the string "comp-lzo no" in the ovpn file otherwise the iPhone gave me the error "server pushed compression settings that are not allowed and will result in a non-working connection".

Thanks for your help.

Hi Angelone - Can you please DM me and PRANEETH Kumar  the access id of your device. We will take a look at the issue.

Hi Giridhar Katti , I tried to enable the support access but the Access ID remains in the "Connecting to server" state

Hi Angelone ,

Currently i am looking into Access ID issue.

Can you please share uma.log from /log dir in one on one to investigate why access id is not generated?

Also provide output of following commands executed via backend of SFOS.

nslookup eu2.apu.sophos.com

traceroute eu2.apu.sophos.com

ping eu2.apu.sophos.com ( APU server will not respond to ping request although, i would like to check dns resolution) 

Can you DM Sreenivasulu Naidu  with zoom/teams link to debug the issue together ? 

Thanks a million for the support. At the moment I’m not at home, I will send the link and the logs as soon as I will come back home in few days

Hi Kaushal Kansara ,

attached you can find the zip file that contains the elements you've asked for.

The output of the commands are contained in command_debug.txt file. I'll send you the password to extract the archive, the traceroute contains information about my IP address that I prefer to not share here.

Thanks for you support.

sophos_debug.zip

Hi Angelone 

Thanks for sharing logs.

Please accept friend request so that i can DM.

Hi Angelone ,

I have looked at the logs and observing that SFOS is retrying the connection with EU2 server. Although connections associated with given SFOS is not being seen on EU2 server.

Can we have a call to investigate this?

Hi @Angelone, for the sslvpn ra traffic issue, we can take a look at your setup in a joint debug over a call. Please DM me (sreenivasulu.naidu@sophos.com). From the attached logs, there is no sslvpn.log, traffic issues could not be figured out from this log. When you are seeing traffic on port 8443, just do a tcpdump on tun0 (assuming you are using XG and not XGS), if you see packets on tun0 (on XG), this is unencrypted packet, see the packet is routed correctly to your host on DMZ and verify the return path of the packet.

Hi @Angelone, for the sslvpn ra traffic issue, we can take a look at your setup in a joint debug over a call. Please DM me (sreenivasulu.naidu@sophos.com). From the attached logs, there is no sslvpn.log, traffic issues could not be figured out from this log. When you are seeing traffic on port 8443, just do a tcpdump on tun0 (assuming you are using XG and not XGS), if you see packets on tun0 (on XG), this is unencrypted packet, see the packet is routed correctly to your host on DMZ and verify the return path of the packet.

Hi Sreenivasulu Naidu  and Kaushal Kansara , we can schedule a call with pleasure. I'm going to DM rigth now.

Thanks for your valuable support

With legacy mode (Settings -> Advanced settings -> Security level in Openvpn conect client on iOS), traffic is passing through the sslvon ra tunnel and able to reach the DMZ hosts. This is the behaviour seen in v19.x and in v20.