Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

SSL VPN Network Access

I'm a pulling my hair trying to figure out why our SSL VPN users all of a sudden cannot access the network resources. For the most part I moved 99% of our users over to IPsec VPN setups but in some cases, like accessing from China, IPsec does not allow connections.  A few months ago I quickly setup an SSL VPN user for a staff person visiting China, and all went well. This same staff person is going again in a few weeks so I asked them to test the user and it authenticates ok just does not have access to any of the network resources and have no idea why. 

I created a second user to test myself and same problem. I am using Sophos Connect 2.3.2. Any thing you can think of I have missed?

Thanks



Added TAGs
[edited by: Raphael Alganes at 10:16 AM (GMT -8) on 26 Nov 2024]
  • If I understand your problem correctly, this is your problem --- if you directly add the user to the SSLVPN policy, the netwrok resource access works fine but if you add a user to a group and then add the group to the policy, the network resource access does not work. If this understanding is correct, can you help answer these queries:

    1) Which SFOS release are you running on your firewall ?
    2) Is it a split tunnel or full tunnel ?
    3) Can you login to the advanced shell of the firewall (ssh to firewall then enter 5 and then enter 3) and check the output of the following command:
    cat /cfs/system/openvpn/conf.d/<username>

    Replace the username with the name of the user you are testing with. If you are using split tunnel, can you check in the output if the IP/network of the network resource you are trying to access is present in the push route directives or not. Sample output:
    cat /cfs/system/openvpn/conf.d/test
    ...
    push 'route 192.168.2.0 255.255.255.255'
    ...

  • Actually I think I found the issue, I believe the issue is the SSL IP range, since it was created in v18 and this replacement firewall is on 19 , I actually created the IP subnet as it is supposed to be under v19. I am having my user test today.

  • That was the issue, I simply had to delete the range created in the earlier version and create the IP assignment as a subnet. Thanks to everyone who took the time to reply and help me resolve the issue.