Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 210 Site to Site VPN and Client VPN

Hello sophos community,

my name is Bernd Bauer and I´m a Sophos XG Newbie

Last weekend we equipped one of our costumers with 5 Sophos XG Firewalls.

1 HeadOffice XG210 and 5 BranchOffices with XG105

I installed the latest firmware on the head office firewall SFOS 15.01.0 MR-2.

At this moment I´m very frustrated because we have only troubles with the new xg firewalls.

1. problem (Client VPN):

We setup AD Authentication and SSL VPN remote access.

The vpn users can login to the user portal but can´t download the ssl vpn client.

If I click on download client and configuration nothing happens.

Also by clicking on download configuration nothing happens.

I tried it with mozilla firefox, internet explorer and google chrome also on different pcs same issue.

Did someone have the same troubles?

2. problem (site to site vpn):

The site to site vpn to the branch offices works fine but they are unstable.

I mean my head office firewall shows me everything green connection established but i can´t ping my server on the other site.

So I have to deactive the site to site tunnel for this branch office and reactive it.

After this process I can ping again my devices in the branch offices.

These are my biggest problems currently.

I would be glad for tips and suggestions.

best regards

Bernd



This thread was automatically locked due to age.
Parents
  • Hi Bernd,

    Thanks for choosing Sophos.

    We do not have any instance where anyone is not able to download SSL VPN client. Can you check this from a remote location accessing User portal on Public IP through a another system?

    And is the Ping issue over IPSec intermittent ? Does the manual restart of IPSec tunnel resolves the issue ?

    Please provide us more information on this matter to investigate further.

    I suggest you to monitor drop-packet-capture logs on XG when this issue is Active.

    Follow the steps mentioned below to capture drop-packets of specific  IP address.

    1.  Logon to the CLI Console (Telnet/SSH)
    2.  Select Option 4 - System Console
    3.  To capture drop-packets for specific IP Address, execute the following command:

         console> drop-packet-capture 'host 10.0.0.1 and proto ICMP

    This will give you a brief idea where the traffic could be dropping.

    Hope that helps:)

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin,

    i tried accessing the user portal at this moment with my notebook via the public ip and the download didn´t work.

    I could try to boot the old firmware mr1 and download the client.

    Do you know what happens with my config when i boot the old firmware ?

    I´m now updating all branch office firewall firmwares to the latest firmware HW-SFOS_15.01.0_MR-2.SF210-418.

    So i will keep you up to date if this fix my site to site vpn problem.

    Thanks for your help

Reply
  • Hi Sachin,

    i tried accessing the user portal at this moment with my notebook via the public ip and the download didn´t work.

    I could try to boot the old firmware mr1 and download the client.

    Do you know what happens with my config when i boot the old firmware ?

    I´m now updating all branch office firewall firmwares to the latest firmware HW-SFOS_15.01.0_MR-2.SF210-418.

    So i will keep you up to date if this fix my site to site vpn problem.

    Thanks for your help

Children