Table of Contents:
Overview:
SSLVPN Remote Access Static IP with UDP, 2nd attempt of tunnel establishment auth_fails as ip address is not released when previous tunnel is disconnected
This issue is seen if the SSL VPN Remote Access tunnel type is of UDP only (not applicable to TCP) Issue is applicable to SFOS running v19.0.MR1 or later.
Configuration on Sophos Firewall:
-
SSLVPN Globalsettings is configured with Protocol as UDP and ‘Use static IP addresses’ checkbox enabled.
-
Create a user, assign with SSLVPN static ip from the IPv4 address range set the in SSLVPN global settings.
-
Download SSLVPN configuration from the user portal and use it on remote access client
-
Initiate the connection and the connection will be successful.
-
Disconnect the tunnel from remote access client and connect again; the tunnel will not be established with the reason AUTH_FAILED (in /log/sslvpn.log) and also UI logviewer says ‘User failed to login to SSLVPN through Local authentication mechanism because of ip lease failed’
Log Viewer:
Advanced Shell: /log/sslvpn.log
SSL VPN Client Log:
Workaround:
-
Set the value of 'Disconnect dead peer after' in SSLVPN global settings to minimum amount of time, say 60 seconds; so that after 120 seconds (twice the value set in dead peer ) SSLVPN RA tunnel bring up from remote access client will be successful
-
Or use TCP based SSLVPN RA connection.
Testing:
1st Connection Using TCP type:
Reconnect After Disconnection:
Related Information:
SSL VPN Global Settings: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SSLVPN/RAVPNSSLSettings/index.html