Unable to Reach RED hosts from Remote SSLVPN - Urgent help needed

Hello BeanAnimal ,

Thanks for reaching out to Sophos Community. 

Have you also added the RED Networks (1 and 2) to SSL VPN Tunnel Access > *Permitted Network Resources? 

Also, what are the results on SSL VPN clients when trying to ping RED Gateway and RED Network? 

Regards,

Yes, I created host (network) defs for both RED subnets and they are added to the Remote Access SSL VPN permitted network resources. 

I can not ping either red (10.20.30.254, 10.20.31.254) but can ping LAN assets. 

I can see the routes set in OpenVPN logs on the VPN client, but traceroute to them times out on first hop. Traceroute to the XG LAN works. Two hops, SSL VPN gateway and the pinged endpoint (as it should be).

Hello, 

Thanks for the details. Do you also have a FW rule for (Zone where RED is) : Source Network: RED Network To - > Dest Zone: VPN / Dest Network: SSL VPN Network ? 

 If there are new changes in the SSL VPN config during your testing, could you re-download the config again to the client and then try again?

Thank you,

I have allow rules in both directions. No other rules above that should be blocking and no firewall logs showing blocking (or really anything for that matter even though i checked the logging option).  I have not downloaded the config again today, but have several times through different iterations of testing.

I may be missing something simple, but for the life of me can’t find it.

Hello,

Thank you for contacting Sophos Community!

Kindly follow below:

1. Output from the client PC command prompt, validate whether the route for RED network added or not.

route print

2. Start the continueos ping from SSL VPN client to RED network PC and collect tcpdump using below:

tcpdump ' host srcIP or host destIP

Kindly paste the traffic output.

In another window, collect the drop packet.

drop-packet-capture ' host srcIP or host destIP

Kindly paste these output or DM me.

Hello,

Adding to what Raphael has mentioned.

I recommend you start some TCP dumps in the firewall and the devices behind the RED to see how far the Ping is getting from the devices using SSL VPN.

When in the Advanced shell of the Sophos Firewall, enter ifconfig, so you can see the interface names for the tcpdump/

example of tcpdump

# tcpdump -eni tun0 host 10.81.234.10 and host 10.20.30.10

The tcpdump above will tell the Sophos Firewall to check for pings coming from the SSL VPN interface going to the host

#tcpdump -eni redsx host x.x.x.x.x

The above would be for the interaction of the RED device; substitute the X accordingly.

Also, confirm that the SSL VPN devices don't have an overlapping subnet with one of the RED devices, and make sure the devices behind the RED have the local firewall disabled.

Hi BeanAnimal  - We are trying to reproduce this locally in our lab. We will come back on this soon.

I am currently testing from a MacOS using OpenVPN

Netstat -nr
routes appear to be set properly

10.20.30/24        10.81.234.1        UGSc                utun6       
10.20.31/24        10.81.234.1        UGSc                utun6       
10.81.234/24       10.81.234.3        UGSc                utun6       
10.81.234.1        10.81.234.3        UH                  utun6       
127                127.0.0.1          UCS                   lo0       
127.0.0.1          127.0.0.1          UH                    lo0       
169.254            link#15            UCS                   en0      !
192.168.0          10.81.234.1        UGSc                utun6       

tcpdump from MacOS with VPN connected

sudo tcpdump host localhost or host 10.20.31.254
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), snapshot length 524288 bytes
08:54:08.833058 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 0, length 64
08:54:09.838235 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 1, length 64
08:54:10.840668 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 2, length 64
08:54:11.846959 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 3, length 64
08:54:12.853512 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 4, length 64
08:54:13.864826 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 5, length 64
^C
6 packets captured
235 packets received by filter
0 packets dropped by kernel

Thank you very much. As I said, I could have missed something very simple or very stupid. It has been a while since I worked with RED devices or XG for that matter. I am not opposed to paying for remote help, but I am not sure where to look these days. 

Hello,

I could see that the routes added.

Could you please collect the tcpdump and drops on the firewall from option number 4 by running the command shared and running the ping from client to the RED device?