Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 2360 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow VPN client through UTM

Slugman Wizard

Hi there.

I have a host machine with Sonicwall Global VPN Client installed on it that can't connect to the peer/destination. The network map looks something like this:

Host >>> UTM >>> Cisco ASA >>> Internet >>> VPN Target

I've been looking at this problem for a few days, configuring host/IP/port specific rules, and eventually I put an [ any source / any destination / any service - permit ] outgoing rule on the UTM... but still no dice.

I have checked the live logs but the host's IP isn't showing up at all as a source, despite it continually attempting to establish a connection, which leads me to believe that there's something else at play that I don't know about. The host IP shows up intermittently but as a destination - the log entry looks something like this: Source = <UTM internal IP>, Service = IMCP, Destination = <host IP>, Action = dropped.

I have no issues if the host is situated between the UTM and the ASA (i.e. bypassing the UTM entirely, and with a different IP address, gateway, etc. configured of course) so the UTM seems to be causing the roadblock. In both cases the client tries to use ports 500 and 4500, but I made sure to allow these and they are reportedly in use already (probably by the ASA) so it uses dynamic ports instead. The Sonicwall GVC connects by IP address, so I don't think it's a DNS issue.

Can anyone signpost me in the right direction or say if there's a glaringly obvious setting I've missed?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Slugman,

    Thank you for contacting the Sophos Community!

    Do you have application control installed in the UTM? if so maybe try to disable it.

    About the service you mentioned, I think that is the ICMP. Does the VPN need maybe that the host machine sends a Ping to check if the VPN is alive? 

    If so please check what have you configured for ICMP packets in the UTM, under Network Protection >> Firewall >> ICMP.

    Are you getting any logs from the ASA when the host is trying to connect?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi, thanks for the rapid response.

    I don't have application control enabled on the UTM.

    All the UTM's ICMP checkboxes are ticked in the window you mentioned.

    Unfortunately the ASA's logs are next-to-useless. There are no logs referring to the host or the VPN IP addresses when I attempt a connection.

    I've been using Wireshark to try and compare a successful and an unsuccessful VPN connection but there are no strange or unexpected IP addresses or protocols coming up. It's as though my host is just shouting into the dark and there is no reply.

  • 0 in reply to Slugman Wizard

    Hello Slugman,

    Thank you for the follow-up!

    The log you mentioned is the packetfilter.log? 

    Would it be maybe MTU? What is the MTU in the interface that the UTM connects to the ASA?

    If you do a tcpdump on the interface that connects to the ASA let's say eth1 on port 500 and 4500 do you packets coming back?

    tpcdump -eni eth1 port 500 

    tcpdump -eni eth1 port 4500

    Do you see the packets arriving from the host and then leaving and then a response?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • 0 in reply to Slugman Wizard

    Hello Slugman,

    Thank you for the follow-up!

    The log you mentioned is the packetfilter.log? 

    Would it be maybe MTU? What is the MTU in the interface that the UTM connects to the ASA?

    If you do a tcpdump on the interface that connects to the ASA let's say eth1 on port 500 and 4500 do you packets coming back?

    tpcdump -eni eth1 port 500 

    tcpdump -eni eth1 port 4500

    Do you see the packets arriving from the host and then leaving and then a response?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
No Data
Unfiltered HTML