Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=remote-access-SSL-VPN-troubleshoot

Some users can't establish tunnels

If some users can't establish remote access SSL VPN tunnels, check the following settings.

  • Scenario

    • User's internet and endpoint permissions
    • Username and domain name in the firewall
    • Android devices using OpenVPN clients

Check the configurations

In the endpoint

  1. User's internet:

    • Make sure users' internet is working.
    • Users can also restart their router and try again.

  2. Check permissions, such as those in the endpoint OS, firewall, and antivirus.

In the firewall

The combined length of username and domain name must not exceed 51 characters. See Unable to connect SSL VPN.

Test the connectivity

In the firewall

To see the SSL VPN port connectivity, do as follows in the firewall:

  1. While you make a connection attempt from the endpoint, do as follows:

    1. Go to Diagnostics > Packet capture.
    2. Turn on Packet capture, and click Configure.

    3. Enter the following under BPF string: port <SSL VPN port number>

      An example:

      Packet capture for traffic on SSL VPN port from endpoint.

    4. To verify the endpoint details, click the Details button in the Sophos Connect client.

      An example:

      IP addresses in the Sophos Connect client.

    Alternatively, you can do a tcpdump in Advanced shell using the following command:

    tcpdump "port <SSL VPN port number>"

  2. If the endpoint traffic doesn't reach the firewall, the user's ISP may have blocked the SSL VPN port-protocol combination. Try using a combination they allow, for example, TCP 443 on SSL VPN global settings.

    Requirement

    If you change the SSL VPN port or protocol, all users must download and import the .ovpn file to the VPN client again.

More resources