VPN SSL cannot download

a curious thing happens to me with an SSL VPN, remotely I control a firewall via SSL VPN, everything is ok I can monitor everything, the VPN is set to "force all traffic through tunnel" but if I try to download a file the download starts and then suddenly it crashes and the WSM also disconnects, if I try to ping from google it doesn't respond but the VPN is always active, any ideas?


  • Options

    Check your Dynamic NAT settings.
    Make sure you have an entry which includes the SSLVPN subnet.

    Also check Traffic Monitor to see if anything obvious is there.

  • Options

    Bruce any example ?

  • Options

    Any example of what?

  • Options

    You can turn on Logging on your Allow SSLVPN-Users policy to see packets allowed by it in Traffic Monitor.

    You see a src_ip_nat section in log entries, which indicates that you do have a Dynamic NAT entry which includes the IP addr for the SSLVPN connection.

    2020-11-22 15:11:15 Allow https/tcp 53977 443 0-SSL-VPN External Allowed 52 127 (HTTPS-Bruce-VPN-test-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="xxx.xxx.58.46" tcp_info="offset 8 S 3130143562 win 61690" src_user="BruceVPN@Firebox-DB" geo_dst="USA" Traffic

  • Options

    it seems so, here's what I see:

    2020-11-23 16:49:05 Allow https / tcp 51934 443 INTERNAL WAN Application identified 40 128 (DPI HTTPS-proxy-00) proc_id = "firewall" rc = "100" msg_id = "3000 -0149 "src_ip_nat =" xxx.xx.141.2 "tcp_info =" offset 5 AF 4231312110 win 258 "app_id =" 185 "app_name =" SSL / TLS "app_cat_id =" 20 "app_cat_name =" Network protocols "app_beh_id =" 6 " app_beh_name = "Access" geo_dst = "USA" Traffic

  • Options

    One does not see a src_ip_nat section in HTTPS proxy log entries - no idea why.
    Thus your posted log entry does not prove or disprove that you do have a Dynamic NAT entry which includes the SSLVPN subnet - Any-external

  • Options

    I had disabled the logs, look now:

    2020-11-23 18:14:51 Allow https / tcp 63340 443 0-SSL-VPN WAN Application identified 40 64 (DPI HTTPS-proxy-00) proc_id = "firewall" rc = "100" msg_id = "3000-0149" src_ip_nat = "" tcp_info = "offset 5 AF 2319411342 win 24065" app_id = "94" app_name = "HTTP Protocol over TLS SSL" app_cat_id = "19" app_cat_name = "Network protocols" app_beh_id = "6" app_beh_name = "Access" src_user = "vpncris @ Firebox-DB" geo_dst = "USA" Traffic

  • Options

    That does prove that you do have a Dynamic NAT entry for the SSLVPN subnet.

    re. your file download issue when connected via SSLVPN:
    Could be a MTU issue. With most VPN connections the data portion of the packet is reduced due to the addition of encryption info.

    You can use Alan's old PMTU script to change Windows so that it automatically
    identifies the correct MTU to use for a session:
    I have listed that script in this topic:

    IKEV2 sound

  • Options

    I have no problem pinging when connected to SSLVPN:

    2020-11-23 13:59:04 Allow icmp 0-SSL-VPN External Allowed 60 127 (Ping-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="xxx.xxx.58.46" src_user="BruceVPN@Firebox-DB" geo_dst="USA" Traffic

  • Options

    thanks Bruce

Sign In to comment.