Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=remote-access-SSL-VPN-troubleshoot-tunnel-routing

Reply traffic isn't routed to SSL VPN tunnel

If the endpoint request reaches the permitted resource but reply traffic from the resource doesn't reach the endpoint, check the following settings.

  • Scenario: Routes

    • Routes on the endpoint: SSL VPN policy
    • Default gateway for the permitted resource: SNAT rule
    • Alternative routes: Route precedence

To troubleshoot issues with endpoint traffic reaching the resource, see Network behind firewall is unreachable.

Remote access SSL VPN flow diagram.

Reply from resource to firewall

Make sure the route table in the permitted resource has the firewall as a gateway.

Reply from firewall to endpoint

If reply traffic reaches the firewall but doesn't enter the SSL VPN tunnel, check the route precedence.

Route precedence

See the route precedence on Routing > SD-WAN routes.

If precedence is set to SD-WAN before static routes, traffic is sent through an SD-WAN route with the following settings:

  • Source networks: Permitted network resources or Any
  • Destination networks and services: Any
  • Services: Any

To resolve the issue, change at least one of the following in the SD-WAN route:

  • Destination networks and services: Change it to exclude the SSL VPN lease range.
  • Services: Change it to exclude the SSL VPN port and protocol.

Note

Alternatively, you can change the route precedence, but this global setting can affect other traffic. See Route precedence and VPN traffic.