Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 14 replies
  • Subscribers 40 subscribers
  • Views 7408 views
  • Users 0 members are here
Options
Suggested

Unable to Reach RED hosts from Remote SSLVPN - Urgent help needed

BeanAnimal

HI - Time sensitive here, back against the wall (will pay outside consultant if needed). Sophos Partner, long out of the loop. 

I have (2) REDS.   Both are reachable from main XG network. I am unable to reach the RED hosts from the SSL VPN.

REDS are in standard split tunnel

RED1 - 10.20.30.0/24
RED2 - 10.20.31.0/24
XG LAN 192.160.0.0/24 (don't ask, I inherited)
SSLVPN 10.81.234.5/24 (oddity there in definition, but should work as it i a /24)

Defined host networks for all.
REDS  have local subnet and ssl subnet in split network settings boz
Firewall rule to allow SSL network to RED networks
Logs show nothing being blocked. 

I am at my wits end and have to have these routing by Friday. 

Any help would be appreciated. 



Added TAGs
[edited by: Raphael Alganes at 1:19 AM (GMT -7) on 24 Jul 2024]
Parents
  • 0

    Hi   - We are trying to reproduce this locally in our lab. We will come back on this soon.

  • 0 in reply to Giridhar Katti

    Thank you very much. As I said, I could have missed something very simple or very stupid. It has been a while since I worked with RED devices or XG for that matter. I am not opposed to paying for remote help, but I am not sure where to look these days. 

  • 0 in reply to BeanAnimal

    Hi  ,

    Are you using RED interface in-built on SFOS? or RED is an external device connected to SFOS? Can you put a picture of your topology?

    * Do you see red interface Up on SFOS?

    # ifconfig reds1
    reds1 Link encap:Ethernet HWaddr aa:bb:cc:dd:ee:aa
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0

    * Are you able to ping remote client from local client over RED tunnel once RED tunnel is Up?

    * you can DM me to expedite the interactions.

    I am able to have sslvpn ra client (ovpnclient) reach far end client over RED tunnel by using reds1 interface on SFOS.

  • 0 in reply to Sreenivasulu Naidu

    Main Site
    XG125 (SFOS 19.5.3 MR-3-Build652)
    192.168.0.1/24 local lan

    Remote site1 RED1
    SD-RED 20
    10.20.30.0/24

    Remote site2 RED2
    SD-RED 60
    10.20.31.0/24

    Both tunnels are up. Built using the GUI.

    I have removed and recreated all rules regarding RED1 and RED2 and will do more testing shortly. 
    Bot RED sites are reachable from the XG lcoal lan

    I truly appreciate everyones help in trying to resolve this. It has to be something stupid I have missed. The routing is (should be?) very basic and I don't think I need static routes because the REDs already handle that.

  • 0 in reply to BeanAnimal

      , Thanks for giving us some incremental details; Always clear topology will help everyone who is looking at the issue and to map it correctly.

    I took time to build topology as below - can you confirm this is the topology you are using - I am just taking SD-RED20 alone for simplicity.

    * In this topology, once SSLVPN RA tunnel is Up, are you able to ping LAN client1 on 192.168.0.0/24 network from your Mac running SSLVPN RA client?

    * From Mac, you are not able to ping client2 which is on 10.20.20.0/24 network? this traffic is supposed to go over SSLVPN RA first and the on RED tunnel. 

    What happens when you ping LAN client2 from your Mac after the SSLVPN RA is Up? can you do a tcpdump on LAN client2 - any icmp traffic is seen?

  • +1 in reply to Sreenivasulu Naidu

     , with reference to the topology given, try this out and let me know if you are able to reach out to LAN client2 from your Mac running SSLVPN RA client.

    On SFOS, create an SNAT rule to translate source IP 10.81.0.0/16 (SSLVPN virtual ip pool, one of this ip gets added to each of the SSLVPN RA clients) to reds1 ip on SFOS. Without SNAT rule, source IP of the packet that reaches SD-RED will have the virtual ip of SSLVPN RA client, which is not known to the SD-RED to respond back with.

Reply Children
No Data
Unfiltered HTML