Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 14 replies
  • Subscribers 40 subscribers
  • Views 7632 views
  • Users 0 members are here
Options
Suggested

Unable to Reach RED hosts from Remote SSLVPN - Urgent help needed

BeanAnimal

HI - Time sensitive here, back against the wall (will pay outside consultant if needed). Sophos Partner, long out of the loop. 

I have (2) REDS.   Both are reachable from main XG network. I am unable to reach the RED hosts from the SSL VPN.

REDS are in standard split tunnel

RED1 - 10.20.30.0/24
RED2 - 10.20.31.0/24
XG LAN 192.160.0.0/24 (don't ask, I inherited)
SSLVPN 10.81.234.5/24 (oddity there in definition, but should work as it i a /24)

Defined host networks for all.
REDS  have local subnet and ssl subnet in split network settings boz
Firewall rule to allow SSL network to RED networks
Logs show nothing being blocked. 

I am at my wits end and have to have these routing by Friday. 

Any help would be appreciated. 



Added TAGs
[edited by: Raphael Alganes at 1:19 AM (GMT -7) on 24 Jul 2024]
Parents
  • 0

    Hello,

    Adding to what Raphael has mentioned.

    I recommend you start some TCP dumps in the firewall and the devices behind the RED to see how far the Ping is getting from the devices using SSL VPN.

    When in the Advanced shell of the Sophos Firewall, enter ifconfig, so you can see the interface names for the tcpdump/

    example of tcpdump

    # tcpdump -eni tun0 host 10.81.234.10 and host 10.20.30.10

    The tcpdump above will tell the Sophos Firewall to check for pings coming from the SSL VPN interface going to the host

    #tcpdump -eni redsx host x.x.x.x.x

    The above would be for the interaction of the RED device; substitute the X accordingly.

    Also, confirm that the SSL VPN devices don't have an overlapping subnet with one of the RED devices, and make sure the devices behind the RED have the local firewall disabled.

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • 0

    Hello,

    Adding to what Raphael has mentioned.

    I recommend you start some TCP dumps in the firewall and the devices behind the RED to see how far the Ping is getting from the devices using SSL VPN.

    When in the Advanced shell of the Sophos Firewall, enter ifconfig, so you can see the interface names for the tcpdump/

    example of tcpdump

    # tcpdump -eni tun0 host 10.81.234.10 and host 10.20.30.10

    The tcpdump above will tell the Sophos Firewall to check for pings coming from the SSL VPN interface going to the host

    #tcpdump -eni redsx host x.x.x.x.x

    The above would be for the interaction of the RED device; substitute the X accordingly.

    Also, confirm that the SSL VPN devices don't have an overlapping subnet with one of the RED devices, and make sure the devices behind the RED have the local firewall disabled.

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
No Data
Unfiltered HTML