SSL VPN Configuration - HELP!

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

SSL VPN Configuration - HELP!

Hi All,

I have been strugeling to get set up the SSL VPN on v3.1.3

I have managed to get the page to login appear

I have managed to be able to login

I have been able to dowload and get the client connect

but for some odd reason it will not communicate to the network !!! :smileyconfused:

I have followed the article on the VPN connection on this site, I have also check the logs with a deny rule at the end of my policy to see if there is anything being denied which does not hit a rule and added in a rule accordingly to what I have seen from the logs but still nothing.

Would someone be able (who has got this running) to post a quick pictorial and sugestions.

Many Thanks

Marc

Highlighted
L4 Transporter

Hello Marct,

if you are already able to get the client to connect and get an ip then the issue probably has to do with policy or routing.

Can you verify the following:


make sure that the zone that the tunnel interface for the ssl vpn has policies/rules allowing the traffic to other desired zones

make sure that the ssl vpn tunnel interface is attached to a virtual router (this virtual router should also have interfaces facing the other subnets that you want the ssl vpn users to be able to connect to)

make sure that the ip range or the subnet that you have assigned to the sslvpn users is not the same as any of the other subnets in your network

thanks,

Stephen Whyte

Highlighted
Not applicable

Hi Stephen,

I got the similar problem on configuring SSL VPN in PA. Actually, my network is:

Eth1/5 l3-untrust 10.0.0.0/8 network

Eth1/6 l3-trust 192.168.4.0/24 network

Tunnel l3-trust

Those three interfaces are under the same virtual router with below routing:

default-route 0.0.0.0/0 int eth1/5 next_hop 10.1.1.254

tunnel traffic to corp 172.16.1.0/24 int tunnel

172.16.4.0/24 is a SSL VPN portal client IP pool

Anything I missed? Thanks!

Johnny

Highlighted
L4 Transporter

If you have already verified all of my previous suggestion, then you may want to start looking into other factors like the following:

make sure that the device you are trying to reach does not have a firewall that is on or limiting connections to it

make sure that the device you are trying to reach is routing back to the pan device when trying to get back to ssl vpn users.....in other words when your device tries to reach this network (172.16.1.0/24), it should routed back to pan device.

thanks,

Stephen

Highlighted
Not applicable

Did you mean the device I want to reach have to add a routing table for SSLVPN pool (172.16.1.0/24) via 192.168.4.51? The source of the packet will use 172.16.1.x info?

BTW, I tested before but it seems cannot be done. I already added the routing table 172.16.1.0 to the device I want to go which is 192.168.4.61.

thanks,

Johnny

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!