VPN SSL cannot download
Hello,
a curious thing happens to me with an SSL VPN, remotely I control a firewall via SSL VPN, everything is ok I can monitor everything, the VPN is set to "force all traffic through tunnel" but if I try to download a file the download starts and then suddenly it crashes and the WSM also disconnects, if I try to ping 8.8.8.8 from google it doesn't respond but the VPN is always active, any ideas?
0
Sign In to comment.
Comments
Check your Dynamic NAT settings.
Make sure you have an entry which includes the SSLVPN subnet.
Also check Traffic Monitor to see if anything obvious is there.
Bruce any example ?
Any example of what?
You can turn on Logging on your Allow SSLVPN-Users policy to see packets allowed by it in Traffic Monitor.
You see a src_ip_nat section in log entries, which indicates that you do have a Dynamic NAT entry which includes the IP addr for the SSLVPN connection.
Example:
2020-11-22 15:11:15 Allow 192.168.222.2 72.26.124.44 https/tcp 53977 443 0-SSL-VPN External Allowed 52 127 (HTTPS-Bruce-VPN-test-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="xxx.xxx.58.46" tcp_info="offset 8 S 3130143562 win 61690" src_user="BruceVPN@Firebox-DB" geo_dst="USA" Traffic
it seems so, here's what I see:
2020-11-23 16:49:05 Allow 192.168.1.58 3.214.160.200 https / tcp 51934 443 INTERNAL WAN Application identified 40 128 (DPI HTTPS-proxy-00) proc_id = "firewall" rc = "100" msg_id = "3000 -0149 "src_ip_nat =" xxx.xx.141.2 "tcp_info =" offset 5 AF 4231312110 win 258 "app_id =" 185 "app_name =" SSL / TLS "app_cat_id =" 20 "app_cat_name =" Network protocols "app_beh_id =" 6 " app_beh_name = "Access" geo_dst = "USA" Traffic
One does not see a src_ip_nat section in HTTPS proxy log entries - no idea why.
Thus your posted log entry does not prove or disprove that you do have a Dynamic NAT entry which includes the SSLVPN subnet - Any-external
I had disabled the logs, look now:
2020-11-23 18:14:51 Allow 192.168.113.2 104.19.147.8 https / tcp 63340 443 0-SSL-VPN WAN Application identified 40 64 (DPI HTTPS-proxy-00) proc_id = "firewall" rc = "100" msg_id = "3000-0149" src_ip_nat = "172.16.141.2" tcp_info = "offset 5 AF 2319411342 win 24065" app_id = "94" app_name = "HTTP Protocol over TLS SSL" app_cat_id = "19" app_cat_name = "Network protocols" app_beh_id = "6" app_beh_name = "Access" src_user = "vpncris @ Firebox-DB" geo_dst = "USA" Traffic
That does prove that you do have a Dynamic NAT entry for the SSLVPN subnet.
re. your file download issue when connected via SSLVPN:
Could be a MTU issue. With most VPN connections the data portion of the packet is reduced due to the addition of encryption info.
You can use Alan's old PMTU script to change Windows so that it automatically
identifies the correct MTU to use for a session:
I have listed that script in this topic:
IKEV2 sound
https://community.watchguard.com/watchguard-community/discussion/comment/5280#Comment_5280
I have no problem pinging 8.8.8.8 when connected to SSLVPN:
2020-11-23 13:59:04 Allow 192.168.222.2 8.8.8.8 icmp 0-SSL-VPN External Allowed 60 127 (Ping-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="xxx.xxx.58.46" src_user="BruceVPN@Firebox-DB" geo_dst="USA" Traffic
thanks Bruce