Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 14 replies
  • Subscribers 40 subscribers
  • Views 7635 views
  • Users 0 members are here
Options
Suggested

Unable to Reach RED hosts from Remote SSLVPN - Urgent help needed

BeanAnimal

HI - Time sensitive here, back against the wall (will pay outside consultant if needed). Sophos Partner, long out of the loop. 

I have (2) REDS.   Both are reachable from main XG network. I am unable to reach the RED hosts from the SSL VPN.

REDS are in standard split tunnel

RED1 - 10.20.30.0/24
RED2 - 10.20.31.0/24
XG LAN 192.160.0.0/24 (don't ask, I inherited)
SSLVPN 10.81.234.5/24 (oddity there in definition, but should work as it i a /24)

Defined host networks for all.
REDS  have local subnet and ssl subnet in split network settings boz
Firewall rule to allow SSL network to RED networks
Logs show nothing being blocked. 

I am at my wits end and have to have these routing by Friday. 

Any help would be appreciated. 



Added TAGs
[edited by: Raphael Alganes at 1:19 AM (GMT -7) on 24 Jul 2024]
Parents Reply
  • 0 in reply to Raphael Alganes

    Yes, I created host (network) defs for both RED subnets and they are added to the Remote Access SSL VPN permitted network resources. 

    I can not ping either red (10.20.30.254, 10.20.31.254) but can ping LAN assets. 

    I can see the routes set in OpenVPN logs on the VPN client, but traceroute to them times out on first hop. Traceroute to the XG LAN works. Two hops, SSL VPN gateway and the pinged endpoint (as it should be).

Children
  • 0 in reply to BeanAnimal

    Hello, 

    Thanks for the details. Do you also have a FW rule for (Zone where RED is) : Source Network: RED Network To - > Dest Zone: VPN / Dest Network: SSL VPN Network ? 

     If there are new changes in the SSL VPN config during your testing, could you re-download the config again to the client and then try again?

    Thank you,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    I have allow rules in both directions. No other rules above that should be blocking and no firewall logs showing blocking (or really anything for that matter even though i checked the logging option).  I have not downloaded the config again today, but have several times through different iterations of testing.

    I may be missing something simple, but for the life of me can’t find it.

  • 0 in reply to BeanAnimal

    Hello,

    Thank you for contacting Sophos Community!

    Kindly follow below:

    1. Output from the client PC command prompt, validate whether the route for RED network added or not.

    route print

    2. Start the continueos ping from SSL VPN client to RED network PC and collect tcpdump using below:

    tcpdump ' host srcIP or host destIP

    Kindly paste the traffic output.

    In another window, collect the drop packet.

    drop-packet-capture ' host srcIP or host destIP

    Kindly paste these output or DM me.

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Mayur Makvana

    I am currently testing from a MacOS using OpenVPN

    Netstat -nr
    routes appear to be set properly

     

    10.20.30/24        10.81.234.1        UGSc                utun6       
10.20.31/24        10.81.234.1        UGSc                utun6       
10.81.234/24       10.81.234.3        UGSc                utun6       
10.81.234.1        10.81.234.3        UH                  utun6       
127                127.0.0.1          UCS                   lo0       
127.0.0.1          127.0.0.1          UH                    lo0       
169.254            link#15            UCS                   en0      !
192.168.0          10.81.234.1        UGSc                utun6

    tcpdump from MacOS with VPN connected

    sudo tcpdump host localhost or host 10.20.31.254
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), snapshot length 524288 bytes
08:54:08.833058 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 0, length 64
08:54:09.838235 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 1, length 64
08:54:10.840668 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 2, length 64
08:54:11.846959 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 3, length 64
08:54:12.853512 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 4, length 64
08:54:13.864826 IP 10.81.234.3 > 10.20.31.254: ICMP echo request, id 47676, seq 5, length 64
^C
6 packets captured
235 packets received by filter
0 packets dropped by kernel


    There are no dropped packets.

  • 0 in reply to BeanAnimal

    Hello,

    I could see that the routes added.

    Could you please collect the tcpdump and drops on the firewall from option number 4 by running the command shared and running the ping from client to the RED device?

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML