Copyright © 2024 Sophos Ltd

Troubleshooting SSL
VPNs on Sophos
Firewall

Sophos Firewall
Version: 20.0v1

[Additional Information]

Sophos Firewall
FW3015: Troubleshooting SSL VPNs on Sophos Firewall

January 2024
Version: 20.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Troubleshooting SSL VPNs on Sophos Firewall - 1

Copyright
Copyright ©
© 2024
2023 Sophos
Sophos Ltd
Ltd

Troubleshooting SSL VPNs on Sophos Firewall

In this chapter you will learn to RECOMMENDED KNOWLEDGE AND EXPERIENCE
troubleshoot common issues ✓ How to configure SSL site-to-site VPNs on Sophos
when configuring and using SSL Firewall
VPNs on Sophos Firewall.

DURATION 5 minutes

In this chapter you will learn to troubleshoot common issues when configuring and using SSL VPNs on
Sophos Firewall.

Troubleshooting SSL VPNs on Sophos Firewall - 2

Copyright © 2024 Sophos Ltd

Log Files

Review the log file from both the SERVER and the
CLIENT side of the SSL VPN connection

/log/sslvpn.log

The SSL site-to-site VPN between two Sophos Firewalls uses a client-server model. When
troubleshooting issues, it is important to review the log file from both sides of the connection.

The log file is /log/sslvpn.log.

Troubleshooting SSL VPNs on Sophos Firewall - 3

Copyright © 2024 Sophos Ltd

SL VPN Cannot Connect 1

We will look at two issues that can cause the SSL VPN not to be able to connect. Here you can see the
connection status from the client’s side.

Troubleshooting SSL VPNs on Sophos Firewall - 4

Copyright © 2024 Sophos Ltd

SL VPN Cannot Connect 2

Wed Jul 22 05:44:49 2020 [20188] OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH]
[IPv6] built on Feb 15 2020
Wed Jul 22 05:44:49 2020 [20188] library versions: OpenSSL 1.0.2r-fips 26 Feb 2019, LZO 2.09
Wed Jul 22 05:44:49 2020 [20188] MANAGEMENT: client_uid=0
Wed Jul 22 05:44:49 2020 [20188] MANAGEMENT: unix domain socket listening on /tmp/openvpn_mgmt_London
grhandle=0x8181ab0
Wed Jul 22 05:44:49 2020 [20188] PLUGIN_INIT: POST /lib/openvpn-plugin-utm.so '[/lib/openvpn-plugin-
utm.so] [London]' intercepted=PLUGIN_ROUTE_UP|PLUGIN_ROUTE_PREDOWN
Wed Jul 22 05:44:49 2020 [20188] Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Jul 22 05:44:49 2020 [20188] RESOLVE: Cannot resolve host address: lon-gw1.sophos.local: Name or
service not known
Wed Jul 22 05:44:49 2020 [20209] RESOLVE: Cannot resolve host address: lon-gw1.sophos.local: Name or
service not known
Wed Jul 22 05:44:50 2020 [20209] MANAGEMENT: Client connected from /tmp/openvpn_mgmt_London
Wed Jul 22 05:44:50 2020 [20209] MANAGEMENT: CMD 'status'

Starting with the site-to-site VPN, we can check the sslvpn.log and see that the host address cannot be
resolved.

There are two causes for this:

1. The host address has been misconfigured
2. The host address is correct but cannot be resolved

In this case we can easily see that the host address is incorrect because it using the .local domain. If
the address is correct, the next step in troubleshooting would be to verify the DNS configuration.

Troubleshooting SSL VPNs on Sophos Firewall - 5

Copyright © 2024 Sophos Ltd

SL VPN Cannot Connect 2

The hostname can be corrected or overridden in the VPN settings.

Troubleshooting SSL VPNs on Sophos Firewall - 6

Copyright © 2024 Sophos Ltd

SL VPN Cannot Connect 2

It is also possible to override the peer hostname for the site-to-site VPN. If DNS resolution was an
issue, you could override this with an IP address.

Troubleshooting SSL VPNs on Sophos Firewall - 7

Copyright © 2024 Sophos Ltd

SL VPN Cannot Connect 3

With the host address either corrected or overridden, the VPN will be able to connect.

Troubleshooting SSL VPNs on Sophos Firewall - 8

Copyright © 2024 Sophos Ltd

SSL VPN Cannot Connect 1

The next issue we are going to look at presents in the same way but is caused by a different problem.

Troubleshooting SSL VPNs on Sophos Firewall - 9

Copyright © 2024 Sophos Ltd

SSL VPN Cannot Connect 2

Wed Jul 22 08:02:36 2020 [46625] OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH]
[IPv6] built on Feb 15 2020
Wed Jul 22 08:02:36 2020 [46625] library versions: OpenSSL 1.0.2r-fips 26 Feb 2019, LZO 2.09
Wed Jul 22 08:02:36 2020 [46625] MANAGEMENT: client_uid=0
Wed Jul 22 08:02:36 2020 [46625] MANAGEMENT: unix domain socket listening on /tmp/openvpn_mgmt_London
grhandle=0x992ca90
Wed Jul 22 08:02:36 2020 [46625] PLUGIN_INIT: POST /lib/openvpn-plugin-utm.so '[/lib/openvpn-plugin-
utm.so] [London]' intercepted=PLUGIN_ROUTE_UP|PLUGIN_ROUTE_PREDOWN
Wed Jul 22 08:02:36 2020 [46625] Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Jul 22 08:02:36 2020 [46645] Attempting to establish TCP connection with [AF_INET]10.1.1.100:8443
[nonblock]
Wed Jul 22 08:02:39 2020 [46645] MANAGEMENT: Client connected from /tmp/openvpn_mgmt_London
Wed Jul 22 08:02:39 2020 [46645] MANAGEMENT: CMD 'status'
Wed Jul 22 08:02:46 2020 [46645] TCP: connect to [AF_INET]10.1.1.100:8443 failed, will try again in 5
seconds: Connection timed out

Here we can see a site-to-site VPN failing to connect to the server.

Troubleshooting SSL VPNs on Sophos Firewall - 10

Copyright © 2024 Sophos Ltd

SSL VPN Cannot Connect 2

The first step in troubleshooting this issue is to determine if the traffic is reaching the Sophos Firewall,
and if so, what is happening to it.

Checking the log viewer and applying a filter for the destination port 8443, the default port for SSL
VPN on Sophos Firewall, allows us to see what is happening. You can see that the Appliance Access is
denied. We should go and look at the device access configuration.

Troubleshooting SSL VPNs on Sophos Firewall - 11

Copyright © 2024 Sophos Ltd

SSL VPN Cannot Connect 2

Here we can see that the SSL VPN is not enabled for the WAN zone. Remember to check the local ACL
exception rules as well; even if the SSL VPN is enabled for the WAN zone, there could be an exception
rule denying access.

In this example enabling the SSL VPN would resolve the problem.

Troubleshooting SSL VPNs on Sophos Firewall - 12

Copyright © 2024 Sophos Ltd

SSL VPN Cannot Connect 2

C:\Users\Administrator.SOPHOS>tracert lon-gw1.sophos.www

Tracing route to lon-gw1.sophos.www [10.1.1.100]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms ny-gw.sophos.local [192.168.16.16]

2 1 ms <1 ms 1 ms internet.www [10.2.2.250]
3 1 ms 1 ms 1 ms lon-gw1.sophos.www [10.1.1.100]

Trace complete.

C:\Users\Administrator.SOPHOS>

If the problem was not resolved by enabling SSL VPN for the WAN zone in the device access settings,
the next step would be to determine the route the traffic is taking to the Sophos Firewall. You should
then check the configuration of the devices on the route to ensure the port is not being blocked.

Troubleshooting SSL VPNs on Sophos Firewall - 13

Copyright © 2024 Sophos Ltd

SSL VPN Cannot Connect 2

If the port is being blocked by a device outside of your control and you need to change the port, it can
be done in the SSL VPN settings, however this would require you to download and install the updated
configuration.

Troubleshooting SSL VPNs on Sophos Firewall - 14

Copyright © 2024 Sophos Ltd

SSL VPN Cannot Connect 3

In this example enabling the SSL VPN for the WAN zone resolved the issue.

Troubleshooting SSL VPNs on Sophos Firewall - 15

Copyright © 2024 Sophos Ltd

Chapter Review

The log file for SSL VPNs is /log/sslvpn.log. When troubleshooting SSL VPN issues, you should review the
logs from both sides of the connection.

By default, the SSL VPN port on Sophos Firewall is 8443. This can be changed in the SSL VPN settings.

You need to enable SSL VPN in device access for the zones in which you want to use it.

Here are the three main things you learned in this chapter.

The log file for SSL VPNs is /log/sslvpn.log. When troubleshooting SSL VPN issues, you should review
the logs from both sides on the connection.

By default, the SSL VPN port on Sophos Firewall is 8443. This can be changed in the SSL VPN settings.

You need to enable SSL VPN in device access for the zones in which you want to use it.

Troubleshooting SSL VPNs on Sophos Firewall - 21

Copyright © 2024 Sophos Ltd

Troubleshooting SSL VPNs on Sophos Firewall - 22