This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Connected but unable to use browser

Running Sophos UTM (9.601-5) successfully for a couple years and recently had to rebuild my laptop. After rebuild I pulled openvpn config from user portal and imported to viscosity client. I am able to successfully connect and can ping external sites (8.8.8.8) when connected, can SSH to the UTM device itself, but...I cannot open anything with a web-browser (Chrome/Safari), including the Sophos dashboard. I have looked at my logs and can see successful DNS resolution, nothing obvious in FW logs, have tried toggling IPS and web-proxy into off position without any success...anything obvious I might be missing here?  



This thread was automatically locked due to age.
Parents
  • Example that I can resolve / ping while connected but not browse to the same site. 

      

  • Hi Jon and welcome to the UTM Community!

    Do you get any hints from the Firewall and Web Filtering logs?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'll pull some logs to share, at the moment I do have a client side PCAP of a failed session screenshot to share...maybe certificate related? 

  • I am reviewing the logs while connected and I am not seeing anything helpful. All DNS queries are successful, webfiltering action ="pass", and the FW is not blocking my queries to the UTM web host @ 10.0.155.1:4444. 

  • TCP Dump logs from failed https session to 10.0.155.1 while connected via VPN

    HOSTNAME:~ # tcpdump -i any host 192.168.1.2 and host 10.0.155.1 -vvvv
    tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    21:11:08.191368 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
     192.168.1.2.55029 > dymanicDNS.webadmin: Flags [S], cksum 0x64ab (correct), seq 3310334379, win 65535, options [mss 1352,nop,wscale 6,nop,nop,TS val 1019531263 ecr 0,sackOK,eol], length 0
    21:11:08.191547 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [S.], cksum 0x68ed (correct), seq 3171659599, ack 3310334380, win 28960, options [mss 1460,sackOK,TS val 32713942 ecr 1019531263,nop,wscale 7], length 0
    21:11:08.268954 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.2.55029 > dymanicDNS.webadmin: Flags [.], cksum 0x0076 (correct), seq 1, ack 1, win 2051, options [nop,nop,TS val 1019531360 ecr 32713942], length 0
    21:11:08.270514 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 569)
    192.168.1.2.55029 > dymanicDNS.webadmin: Flags [P.], cksum 0xeace (correct), seq 1:518, ack 1, win 2051, options [nop,nop,TS val 1019531360 ecr 32713942], length 517
    21:11:08.270747 IP (tos 0x0, ttl 64, id 33722, offset 0, flags [DF], proto TCP (6), length 52)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x0575 (correct), seq 1, ack 518, win 235, options [nop,nop,TS val 32713962 ecr 1019531360], length 0
    21:11:08.321551 IP (tos 0x0, ttl 64, id 33723, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x65ad (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32713974 ecr 1019531360], length 1340
    21:11:08.321579 IP (tos 0x0, ttl 64, id 33724, offset 0, flags [DF], proto TCP (6), length 821)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [P.], cksum 0x64db (correct), seq 1341:2110, ack 518, win 235, options [nop,nop,TS val 32713974 ecr 1019531360], length 769
    21:11:08.399513 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.2.55029 > dymanicDNS.webadmin: Flags [.], cksum 0xe194 (correct), seq 518, ack 1, win 2051, options [nop,nop,TS val 1019531487 ecr 32713962,nop,nop,sack 1 {1341:2110}], length 0
    21:11:08.417872 IP (tos 0x0, ttl 64, id 33725, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x6515 (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32713999 ecr 1019531487], length 1340
    21:11:08.697946 IP (tos 0x0, ttl 64, id 33726, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x64cf (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32714069 ecr 1019531487], length 1340
    21:11:09.257967 IP (tos 0x0, ttl 64, id 33727, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x6443 (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32714209 ecr 1019531487], length 1340
    21:11:10.381967 IP (tos 0x0, ttl 64, id 33728, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x632a (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32714490 ecr 1019531487], length 1340
    21:11:12.629974 IP (tos 0x0, ttl 64, id 33729, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x60f8 (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32715052 ecr 1019531487], length 1340
    21:11:17.125895 IP (tos 0x0, ttl 64, id 33730, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x5c94 (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32716176 ecr 1019531487], length 1340
    21:11:26.118004 IP (tos 0x0, ttl 64, id 33731, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x53cc (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32718424 ecr 1019531487], length 1340
    21:11:38.288345 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.2.55029 > dymanicDNS.webadmin: Flags [R.], cksum 0x7372 (correct), seq 518, ack 1, win 2051, length 0

Reply
  • TCP Dump logs from failed https session to 10.0.155.1 while connected via VPN

    HOSTNAME:~ # tcpdump -i any host 192.168.1.2 and host 10.0.155.1 -vvvv
    tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    21:11:08.191368 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
     192.168.1.2.55029 > dymanicDNS.webadmin: Flags [S], cksum 0x64ab (correct), seq 3310334379, win 65535, options [mss 1352,nop,wscale 6,nop,nop,TS val 1019531263 ecr 0,sackOK,eol], length 0
    21:11:08.191547 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [S.], cksum 0x68ed (correct), seq 3171659599, ack 3310334380, win 28960, options [mss 1460,sackOK,TS val 32713942 ecr 1019531263,nop,wscale 7], length 0
    21:11:08.268954 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.2.55029 > dymanicDNS.webadmin: Flags [.], cksum 0x0076 (correct), seq 1, ack 1, win 2051, options [nop,nop,TS val 1019531360 ecr 32713942], length 0
    21:11:08.270514 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 569)
    192.168.1.2.55029 > dymanicDNS.webadmin: Flags [P.], cksum 0xeace (correct), seq 1:518, ack 1, win 2051, options [nop,nop,TS val 1019531360 ecr 32713942], length 517
    21:11:08.270747 IP (tos 0x0, ttl 64, id 33722, offset 0, flags [DF], proto TCP (6), length 52)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x0575 (correct), seq 1, ack 518, win 235, options [nop,nop,TS val 32713962 ecr 1019531360], length 0
    21:11:08.321551 IP (tos 0x0, ttl 64, id 33723, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x65ad (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32713974 ecr 1019531360], length 1340
    21:11:08.321579 IP (tos 0x0, ttl 64, id 33724, offset 0, flags [DF], proto TCP (6), length 821)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [P.], cksum 0x64db (correct), seq 1341:2110, ack 518, win 235, options [nop,nop,TS val 32713974 ecr 1019531360], length 769
    21:11:08.399513 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.2.55029 > dymanicDNS.webadmin: Flags [.], cksum 0xe194 (correct), seq 518, ack 1, win 2051, options [nop,nop,TS val 1019531487 ecr 32713962,nop,nop,sack 1 {1341:2110}], length 0
    21:11:08.417872 IP (tos 0x0, ttl 64, id 33725, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x6515 (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32713999 ecr 1019531487], length 1340
    21:11:08.697946 IP (tos 0x0, ttl 64, id 33726, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x64cf (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32714069 ecr 1019531487], length 1340
    21:11:09.257967 IP (tos 0x0, ttl 64, id 33727, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x6443 (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32714209 ecr 1019531487], length 1340
    21:11:10.381967 IP (tos 0x0, ttl 64, id 33728, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x632a (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32714490 ecr 1019531487], length 1340
    21:11:12.629974 IP (tos 0x0, ttl 64, id 33729, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x60f8 (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32715052 ecr 1019531487], length 1340
    21:11:17.125895 IP (tos 0x0, ttl 64, id 33730, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x5c94 (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32716176 ecr 1019531487], length 1340
    21:11:26.118004 IP (tos 0x0, ttl 64, id 33731, offset 0, flags [DF], proto TCP (6), length 1392)
    dymanicDNS.webadmin > 192.168.1.2.55029: Flags [.], cksum 0x53cc (correct), seq 1:1341, ack 518, win 235, options [nop,nop,TS val 32718424 ecr 1019531487], length 1340
    21:11:38.288345 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.2.55029 > dymanicDNS.webadmin: Flags [R.], cksum 0x7372 (correct), seq 518, ack 1, win 2051, length 0

Children
No Data