Professional Documents
Culture Documents
FW3015 20.0v1 Troubleshooting SSL VPNs On Sophos Firewall
FW3015 20.0v1 Troubleshooting SSL VPNs On Sophos Firewall
Troubleshooting SSL
VPNs on Sophos
Firewall
Sophos Firewall
Version: 20.0v1
[Additional Information]
Sophos Firewall
FW3015: Troubleshooting SSL VPNs on Sophos Firewall
January 2024
Version: 20.0v1
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 5 minutes
In this chapter you will learn to troubleshoot common issues when configuring and using SSL VPNs on
Sophos Firewall.
Log Files
Review the log file from both the SERVER and the
CLIENT side of the SSL VPN connection
/log/sslvpn.log
The SSL site-to-site VPN between two Sophos Firewalls uses a client-server model. When
troubleshooting issues, it is important to review the log file from both sides of the connection.
We will look at two issues that can cause the SSL VPN not to be able to connect. Here you can see the
connection status from the client’s side.
Wed Jul 22 05:44:49 2020 [20188] OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH]
[IPv6] built on Feb 15 2020
Wed Jul 22 05:44:49 2020 [20188] library versions: OpenSSL 1.0.2r-fips 26 Feb 2019, LZO 2.09
Wed Jul 22 05:44:49 2020 [20188] MANAGEMENT: client_uid=0
Wed Jul 22 05:44:49 2020 [20188] MANAGEMENT: unix domain socket listening on /tmp/openvpn_mgmt_London
grhandle=0x8181ab0
Wed Jul 22 05:44:49 2020 [20188] PLUGIN_INIT: POST /lib/openvpn-plugin-utm.so '[/lib/openvpn-plugin-
utm.so] [London]' intercepted=PLUGIN_ROUTE_UP|PLUGIN_ROUTE_PREDOWN
Wed Jul 22 05:44:49 2020 [20188] Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Jul 22 05:44:49 2020 [20188] RESOLVE: Cannot resolve host address: lon-gw1.sophos.local: Name or
service not known
Wed Jul 22 05:44:49 2020 [20209] RESOLVE: Cannot resolve host address: lon-gw1.sophos.local: Name or
service not known
Wed Jul 22 05:44:50 2020 [20209] MANAGEMENT: Client connected from /tmp/openvpn_mgmt_London
Wed Jul 22 05:44:50 2020 [20209] MANAGEMENT: CMD 'status'
Starting with the site-to-site VPN, we can check the sslvpn.log and see that the host address cannot be
resolved.
In this case we can easily see that the host address is incorrect because it using the .local domain. If
the address is correct, the next step in troubleshooting would be to verify the DNS configuration.
It is also possible to override the peer hostname for the site-to-site VPN. If DNS resolution was an
issue, you could override this with an IP address.
With the host address either corrected or overridden, the VPN will be able to connect.
The next issue we are going to look at presents in the same way but is caused by a different problem.
Wed Jul 22 08:02:36 2020 [46625] OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH]
[IPv6] built on Feb 15 2020
Wed Jul 22 08:02:36 2020 [46625] library versions: OpenSSL 1.0.2r-fips 26 Feb 2019, LZO 2.09
Wed Jul 22 08:02:36 2020 [46625] MANAGEMENT: client_uid=0
Wed Jul 22 08:02:36 2020 [46625] MANAGEMENT: unix domain socket listening on /tmp/openvpn_mgmt_London
grhandle=0x992ca90
Wed Jul 22 08:02:36 2020 [46625] PLUGIN_INIT: POST /lib/openvpn-plugin-utm.so '[/lib/openvpn-plugin-
utm.so] [London]' intercepted=PLUGIN_ROUTE_UP|PLUGIN_ROUTE_PREDOWN
Wed Jul 22 08:02:36 2020 [46625] Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Jul 22 08:02:36 2020 [46645] Attempting to establish TCP connection with [AF_INET]10.1.1.100:8443
[nonblock]
Wed Jul 22 08:02:39 2020 [46645] MANAGEMENT: Client connected from /tmp/openvpn_mgmt_London
Wed Jul 22 08:02:39 2020 [46645] MANAGEMENT: CMD 'status'
Wed Jul 22 08:02:46 2020 [46645] TCP: connect to [AF_INET]10.1.1.100:8443 failed, will try again in 5
seconds: Connection timed out
The first step in troubleshooting this issue is to determine if the traffic is reaching the Sophos Firewall,
and if so, what is happening to it.
Checking the log viewer and applying a filter for the destination port 8443, the default port for SSL
VPN on Sophos Firewall, allows us to see what is happening. You can see that the Appliance Access is
denied. We should go and look at the device access configuration.
Here we can see that the SSL VPN is not enabled for the WAN zone. Remember to check the local ACL
exception rules as well; even if the SSL VPN is enabled for the WAN zone, there could be an exception
rule denying access.
In this example enabling the SSL VPN would resolve the problem.
C:\Users\Administrator.SOPHOS>tracert lon-gw1.sophos.www
Trace complete.
C:\Users\Administrator.SOPHOS>
If the problem was not resolved by enabling SSL VPN for the WAN zone in the device access settings,
the next step would be to determine the route the traffic is taking to the Sophos Firewall. You should
then check the configuration of the devices on the route to ensure the port is not being blocked.
If the port is being blocked by a device outside of your control and you need to change the port, it can
be done in the SSL VPN settings, however this would require you to download and install the updated
configuration.
In this example enabling the SSL VPN for the WAN zone resolved the issue.
Chapter Review
The log file for SSL VPNs is /log/sslvpn.log. When troubleshooting SSL VPN issues, you should review the
logs from both sides of the connection.
By default, the SSL VPN port on Sophos Firewall is 8443. This can be changed in the SSL VPN settings.
You need to enable SSL VPN in device access for the zones in which you want to use it.
Here are the three main things you learned in this chapter.
The log file for SSL VPNs is /log/sslvpn.log. When troubleshooting SSL VPN issues, you should review
the logs from both sides on the connection.
By default, the SSL VPN port on Sophos Firewall is 8443. This can be changed in the SSL VPN settings.
You need to enable SSL VPN in device access for the zones in which you want to use it.