topic Re: SSL VPN client ports in General Topics

SSL VPN client ports

cityofkingsland — Wed, 23 Mar 2011 14:26:45 GMT

We have a few officers that connect from a remote location with a firewall of its own. They are all using the SSL VPN client to connect back to home. I can pull up the https://external-ip and login, but when the connection starts up i get a Disconnected; unable to connect to remote client.

I need to know what ports the SSL VPN client uses to connect back to our firewall so I can tell the IT guy what ports to open.

Thanks in advance!

Re: SSL VPN client ports

cityofkingsland — Wed, 23 Mar 2011 18:33:21 GMT

Also high priority, the people using this VPN can't do their reports unless they have the VPN connection.

Re: SSL VPN client ports

nrice — Wed, 23 Mar 2011 23:31:58 GMT

If you do not have IPsec enabled, SSL VPN will use TCP 443. If IPSec is enabled. TCP 443 will be used for authentication and the traffic will use UDP port 500.

Re: SSL VPN client ports

kbrazil — Thu, 24 Mar 2011 04:23:37 GMT

I believe UDP port 4501 is used for the UDP encapsulated ESP (IPSEC) transit channel.

Cheers,

Kelly

Re: SSL VPN client ports

cityofkingsland — Wed, 06 Apr 2011 17:45:01 GMT

We disabled IPsec on our PA500. Tried reconnecting the SSL Client but still getting the same error. I can see the clients attempting to connect but are never assigned an IP address from my SSL pool; but other clients are getting IP addresses. Is it possible that 443 is used for authentication and another port is used for data ?

Is there a debug command i can use to view authentications and data coming into the firewall?

Re: SSL VPN client ports

nrice — Wed, 06 Apr 2011 19:12:56 GMT

Kelly is correct, IPSEC uses 4501. With IPSEC disabled the traffic does use 443 and is identified as web-browsing. A couple of commands to look at authentication and traffic are:

>show ssl-vpn current-user - to show who is logged in. You can also type portal <name> after the command to see who is logged in by portal.

>show log system subtype equal sslvpn - to show all ssl vpn authentication and connection requests.

You may want to disable antivirus or the firewall on the clients with the problem. If you are unable to resolve, please contact your support provider to troubleshoot.