Register Now

Login

Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

Sophos XG Firewall: SSL VPN user unable access LAN

Issue:

SSL VPN users are not able to access LAN network.

Here in this article i will discuss about troubleshooting steps to perform when SSL VPN users are unable to access internal network, but the SSL VPN connect successfully.

Resolution-1:

If User A from the same network can connect to LAN network but, user B from the same network unable to connect to the LAN resources.

  1. Please open User B’s SSL VPN client and confirm a successful connection.
  2. Once connected, right-click on the profile and select View Log
  3. Search for a similar log entry:
    • ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=3]
  4. If you see a similar entry – the issue may be that the computer is not allowing the current user to print the route to the local machine.

To fix this issue:

  1. Open Windows Explorer
  2. Search for SSL VPN
  3. Right-click and open file location
  4. Click compatibility
  5. Check Run the program as an adminstrator
  6. Select Apply and OK
SSL VPN properties
SSL VPN properties

Note: This is a security measure imposed by Microsoft and not by not OpenVPN.

Resolution-2:

When you update Permitted networks or Idle time-out in SSL VPN policies, changes are not pushed to VPN clients when they try to connect after the change was applied.

For Permitted networks, clients will be able to connect again but they will not be able to reach the newly added network. Permitted network removal is not affected by this issue.

There are two workarounds available before the affected endpoint computer tries to connect again:

  • In case you have both Site-to-site and remote access SSL VPN configurations, go to VPN settings > SSL VPN and change any value (example: Disconnect idle peer after) and save the configuration. Changing the value and applying the SSL VPN settings restarts the VPN service without the need to go to the CLI. It also disrupts established tunnels.
  • In case you only have remote access SSL VPN configurations, on the command-line console, go to Device management > Advanced shell and enter the following command to delete the existing configuration file:
    rm -rf /tmp/openvpn/conf.d/*

Hope this article helps you.