Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to Reach RED hosts from Remote SSLVPN - Urgent help needed

HI - Time sensitive here, back against the wall (will pay outside consultant if needed). Sophos Partner, long out of the loop. 

I have (2) REDS.   Both are reachable from main XG network. I am unable to reach the RED hosts from the SSL VPN.

REDS are in standard split tunnel

RED1 - 10.20.30.0/24
RED2 - 10.20.31.0/24
XG LAN 192.160.0.0/24 (don't ask, I inherited)
SSLVPN 10.81.234.5/24 (oddity there in definition, but should work as it i a /24)

Defined host networks for all.
REDS  have local subnet and ssl subnet in split network settings boz
Firewall rule to allow SSL network to RED networks
Logs show nothing being blocked. 

I am at my wits end and have to have these routing by Friday. 

Any help would be appreciated. 



This thread was automatically locked due to age.
  • Hello  ,

    Thanks for reaching out to Sophos Community. 

    Have you also added the RED Networks (1 and 2) to SSL VPN Tunnel Access > *Permitted Network Resources? 

    Also, what are the results on SSL VPN clients when trying to ping RED Gateway and RED Network? 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Yes, I created host (network) defs for both RED subnets and they are added to the Remote Access SSL VPN permitted network resources. 

    I can not ping either red (10.20.30.254, 10.20.31.254) but can ping LAN assets. 

    I can see the routes set in OpenVPN logs on the VPN client, but traceroute to them times out on first hop. Traceroute to the XG LAN works. Two hops, SSL VPN gateway and the pinged endpoint (as it should be).

  • Hello, 

    Thanks for the details. Do you also have a FW rule for (Zone where RED is) : Source Network: RED Network To - > Dest Zone: VPN / Dest Network: SSL VPN Network ? 

     If there are new changes in the SSL VPN config during your testing, could you re-download the config again to the client and then try again?

    Thank you,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • I have allow rules in both directions. No other rules above that should be blocking and no firewall logs showing blocking (or really anything for that matter even though i checked the logging option).  I have not downloaded the config again today, but have several times through different iterations of testing.

    I may be missing something simple, but for the life of me can’t find it.

  • Hello,

    Thank you for contacting Sophos Community!

    Kindly follow below:

    1. Output from the client PC command prompt, validate whether the route for RED network added or not.

    route print

    2. Start the continueos ping from SSL VPN client to RED network PC and collect tcpdump using below:

    tcpdump ' host srcIP or host destIP

    Kindly paste the traffic output.

    In another window, collect the drop packet.

    drop-packet-capture ' host srcIP or host destIP

    Kindly paste these output or DM me.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • Hello,

    Adding to what Raphael has mentioned.

    I recommend you start some TCP dumps in the firewall and the devices behind the RED to see how far the Ping is getting from the devices using SSL VPN.

    When in the Advanced shell of the Sophos Firewall, enter ifconfig, so you can see the interface names for the tcpdump/

    example of tcpdump

    # tcpdump -eni tun0 host 10.81.234.10 and host 10.20.30.10

    The tcpdump above will tell the Sophos Firewall to check for pings coming from the SSL VPN interface going to the host

    #tcpdump -eni redsx host x.x.x.x.x

    The above would be for the interaction of the RED device; substitute the X accordingly.

    Also, confirm that the SSL VPN devices don't have an overlapping subnet with one of the RED devices, and make sure the devices behind the RED have the local firewall disabled.


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi   - We are trying to reproduce this locally in our lab. We will come back on this soon.

  • I am currently testing from a MacOS using OpenVPN

    Netstat -nr
    routes appear to be set properly

     

    10.20.30/24        10.81.234.1        UGSc                utun6       
    10.20.31/24        10.81.234.1        UGSc                utun6       
    10.81.234/24       10.81.234.3        UGSc                utun6       
    10.81.234.1        10.81.234.3        UH                  utun6       
    127                127.0.0.1          UCS                   lo0       
    127.0.0.1          127.0.0.1          UH                    lo0       
    169.254            link#15            UCS                   en0      !
    192.168.0          10.81.234.1        UGSc                utun6       

    tcpdump from MacOS with VPN connected

    sudo tcpdump host localhost or host 10.20.31.254
    tcpdump: data link type PKTAP
    tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
    listening on pktap, link-type PKTAP (Apple DLT_PKTAP), snapshot length 524288 bytes
    08:54:08.833058 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 0, length 64
    08:54:09.838235 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 1, length 64
    08:54:10.840668 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 2, length 64
    08:54:11.846959 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 3, length 64
    08:54:12.853512 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 4, length 64
    08:54:13.864826 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 5, length 64
    ^C
    6 packets captured
    235 packets received by filter
    0 packets dropped by kernel


    There are no dropped packets.

  • Thank you very much. As I said, I could have missed something very simple or very stupid. It has been a while since I worked with RED devices or XG for that matter. I am not opposed to paying for remote help, but I am not sure where to look these days. 

  • Hello,

    I could see that the routes added.

    Could you please collect the tcpdump and drops on the firewall from option number 4 by running the command shared and running the ping from client to the RED device?

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.