Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents:
Overview:
SSLVPN Remote Access Static IP with UDP, 2nd attempt of tunnel establishment auth_fails as the IP address isn’t released when the previous tunnel is disconnected
This issue is seen if the SSL VPN Remote Access tunnel type is of UDP only (not applicable to TCP) Issue is applicable to SFOS running v19.0.MR1 or later.
Configuration on Sophos Firewall:
-
SSLVPN Globalsettings is configured with Protocol as UDP and the ‘Use static IP addresses’ checkbox enabled.
-
Create a user, assign with SSLVPN static ip from the IPv4 address range set the in SSLVPN global settings.
-
Download SSLVPN configuration from the user portal and use it on remote access client
-
Initiate the connection, and the connection will be successful.
-
Disconnect the tunnel from the remote access client and connect again; the tunnel will not be established with the reason AUTH_FAILED (in /log/sslvpn.log) and also UI log viewer says ‘User failed to login to SSLVPN through the Local authentication mechanism because of IP lease failed’
Log Viewer:
Advanced Shell: /log/sslvpn.log
SSL VPN Client Log:
Workaround:
-
Set the value of 'Disconnect dead peer after' in SSLVPN global settings to a minimum amount of time, say 60 seconds, so that after 120 seconds (twice the value set in dead peer ) SSLVPN RA tunnel bring up from remote access client will be successful
-
Or use a TCP-based SSLVPN RA connection.
Testing:
1st Connection Using TCP type:
Reconnect After Disconnection:
Related Information:
SSL VPN Global Settings: https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SSLVPN/RAVPNSSLSettings/index.html
NC-120119: https://docs.sophos.com/support/kil/index.html
Edited Title
[edited by: Raphael Alganes at 11:34 AM (GMT -8) on 8 Nov 2024]