Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 4924 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect - SSL VPN not working

Lennart Siekmann

We are having an Issue with the VPN Connection of a single Client. Users are authenticated via AD, the Sophos Connect Client and Config file was downloaded from the Sophos VPN Portal. When starting the VPN Connection it loads forever until it eventually times out. Only a single Client is affected all other Users have no issues.



This thread was automatically locked due to age.
  • 0

    Hi Lennart,

    Thank you for reaching out to Sophos Community.

    If the issue is only for a single device.

    • Kindly try to review the VPN logs from the firewall
    • Try to turn off/disable any workstation Anti-virus for testing purposes
    • Test on a different device and network
    • Compare the logs/version from working and nonworking

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • +1

    Hello  ,

    Thank you for reaching out to the community, take the  packet capture on the Port 4439.
    If the packet capture shows that SSL VPN traffic is forwarded matching any rule ID, its most likely to be a DNAT rule with any service or SSL VPN port. DNAT rule has higher precedence to any other rule, due to which SSL VPN traffic which is destined to the firewall is forwarded to internal host matching DNAT rule. Ensure you do not  have DNAT rule with ANY service. If there is a DNAT rule with the same port, either change the DNAT rule port or SSL VPN port.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Erick Jan

    After further analysis I can conclude the following:

    - The VPN Connection doesn't even reach the Firewall, the VPN logs are empty

    - The client is using Sophos Endpoint as Anti-virus, I disabled it and tried again but it still didn't work

    - Using the same version of Sophos Connect and the same Config file I can establish a connection from a different device in a different Network

    - The only major difference between a working log and a non-working log is the following:

    From the non-working log: 

    2024-03-27 12:10:03 Attempting to establish TCP connection with [AF_INET]90.***.***.***:4439 [nonblock]
2024-03-27 12:10:03 MANAGEMENT: >STATE:1711537803,TCP_CONNECT,,,,,,
2024-03-27 12:10:03 TCP connection established with [AF_INET]90.***.***.***:4439

    From the working log: 

    2024-03-27 10:00:36 Attempting to establish TCP connection with [AF_INET]90.***.***.***:4439 [nonblock]
2024-03-27 10:00:36 MANAGEMENT: >STATE:1711530036,TCP_CONNECT,,,,,,
2024-03-27 10:00:56 TCP: connect to [AF_INET]90.***.***.***:4439 failed: Unknown error
2024-03-27 10:00:56 SIGUSR1[connection failed(soft),init_instance] received, process restarting

  • 0 in reply to Lennart Siekmann

    Hi Lennart,

    That is great to hear. We can conclude that the issue only exists in the said workstation and not on our Firewall.

    Based on the logs comparison. I suggest checking port 4439 for the non-working device to see if it’s open or blocked.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML