All users can't establish tunnels

If no user can establish remote access SSL VPN tunnels, check the following settings.

SSL VPN global settings

Go to Remote access VPN > SSL VPN > SSL VPN global settings.

Change in global settings

Override hostname

Static public IP addresses

• Single IP address: You can leave Override hostname empty if the firewall has a single static IP address.
• Multiple IP addresses: You can enter the domain name or leave the field empty. The firewall will list all the WAN addresses in the .ovpn file.

Perform the following checks in both scenarios:

1. Open the .ovpn file in a text editor.

2. Check if it contains the domain name or public IP addresses.

   • If it doesn't, download the .ovpn file again and check.
   • Go to Network > Interfaces, and check your WAN interface settings.
   • If you entered the domain name, check its DNS resolution.

Private or dynamic public IP addresses

Choose one of the following options:

• Upstream router: If the firewall has an upstream router, check the following configurations:

  1. Enter the router's public IP address or the domain name in Override hostname.

  2. Configure the router to port-forward SSL VPN traffic to the firewall.

     See How to configure SSL VPN remote access when Sophos Firewall is behind a NAT device.

• Dynamic IP address: To resolve the firewall's dynamic public IP addresses, do as follows:

  1. Go to Network > DDNS and configure the settings. See Add a dynamic DNS provider.
  2. Under Override hostname, enter the DDNS Hostname. It's an FQDN.

SSL server certificate

• Certificate source:

  • ApplianceCertificate or another locally-signed certificate: If you change the Default CA settings, users must download and import the .ovpn file to the VPN client again.
  • External certificate: Upload the certificate, its private key, the intermediate certificate, if any, and the root CA. See SSL VPN global settings.

• If you change the server certificate, users must download and import the .ovpn file to the VPN client again.

• Characters: Don't use UTF-8 encoded characters in certificate and CA settings. See SSL VPN connection error "certificate verify failed".

WAN access

Go to Administration > Device access and select the zones for the following services:

1. SSL VPN: WAN
2. User portal: WAN, LAN
3. (Optional) Ping/Ping6: VPN

DNAT rule

If a DNAT rule with the following settings exists, the firewall matches it first and sends traffic to the permitted network resource instead of establishing the tunnel.

1. Original source: Any
2. Original destination: Any
3. Services: Any or the SSL VPN port and protocol.

Change the DNAT rule's services to exclude the remote access SSL VPN's port-protocol combination. You'll find these on SSL VPN global settings.

SSL VPN service

Check if SSL VPN service is running in the firewall as follows:

1. Sign in to the CLI and enter 5 for Device management and 3 for Advanced shell.

2. Enter the following command:

   service -S | grep sslvpn
   

   • It should show the Running status as follows:

     

   • If it shows UNREGISTERED status, make sure at least one SSL VPN policy exists.

DoS settings

1. Go to Intrusion prevention > DoS & spoof protection.

2. Under DoS settings, check if you selected the flags for UDP, TCP, and ICMP/ICMPv6 flood.

   The firewall drops SSL VPN traffic and ping requests when they cross the corresponding limits.

To prevent this, under DoS bypass rules, add an inbound rule as follows: