Some users can't establish tunnels
If some users can't establish remote access SSL VPN tunnels, check the following settings.
-
Scenario
- User's internet and endpoint permissions
- Username and domain name in the firewall
- Android devices using OpenVPN clients
Check the configurations
In the endpoint
-
User's internet:
- Make sure users' internet is working.
- Users can also restart their router and try again.
-
Check permissions, such as those in the endpoint OS, firewall, and antivirus.
In the firewall
The combined length of username and domain name must not exceed 51 characters. See Unable to connect SSL VPN.
Test the connectivity
In the firewall
To see the SSL VPN port connectivity, do as follows in the firewall:
-
While you make a connection attempt from the endpoint, do as follows:
- Go to Diagnostics > Packet capture.
- Turn on Packet capture, and click Configure.
-
Enter the following under BPF string:
port <SSL VPN port number>
An example:
-
To verify the endpoint details, click the Details button in the Sophos Connect client.
An example:
Alternatively, you can do a tcpdump in Advanced shell using the following command:
tcpdump "port <SSL VPN port number>"
-
If the endpoint traffic doesn't reach the firewall, the user's ISP may have blocked the SSL VPN port-protocol combination. Try using a combination they allow, for example, TCP 443 on SSL VPN global settings.
Requirement
If you change the SSL VPN port or protocol, all users must download and import the
.ovpn
file to the VPN client again.
Android devices using OpenVPN clients
An OpenVPN version has compatibility issues with SSL VPN compression. See Temporary Fix OpenVPN (3.4.0) No Compression (Android Devices).
More resources