Options
Mobile Connect always gives Access denied - please contact your administrator
JohnCHarris
Newbie ✭
in SSL VPN
I'm doing some testing to get a working VPN on Android. I was hoping to use L2TP but I can't get that working.
Now I'm trying to use the Mobile Connect, but I always get the error "Access denied - please contact your administrator". I set up an additional test user, but I get the same error.
This is on a TZ 270.
Category: SSL VPN
0
Best Answer
-
OptionsCORRECT ANSWER
MustafaA
SonicWall Employee
You can test this with "Source NATing". Add the following NAT policy and see if that helps.
Source: SSLVPN IP Pool
Source Translation: X3 Interface IP
Destination: 192.168.10.7
Destination Translation: Original
0
Answers
Mobile Connect...
Do you have the SSL-VPN setup on the firewall? Do you have a proper certificate? Do you have the user you're trying to connect with in the SSLVPN group?
Are you able to make the connection and access the resource from a Windows computer with the same user creds?
@A_Elliott I think it is just a self singned cert.
@MustafaA I can connect with the Global VPN client with those credentials.
I did a factory reset and reconfigured it with the same result.
I have a control zone with static IPs. The router is 192.168.10.1
I created an IP Pool
Setup the VPN Server:
The policy was set automatically.
Setup a user
I am connecting to the VPN server on 192.168.39.148.
You need to enable SSLVPN on the WAN zone. Make sure you have the Client Routes configured as well as the VPN Access for the user or group.
I enabled the WAN Zone. Now the VPN status is stuck at connecting on my phone.
@MustafaA I factory reset the router and ran through the setup again. Now I can connect with my phone, but I can't access an internal website hosted on my control network. The IP I'm trying to connect to is 192.168.10.7. If I connect my laptop directly into that network I can access it.
Thank you for your helps so far.
John Harris
Can you do packet capture based on the source IP (given from the SSLVPN IP Pool)?
Check if the packets are forwarded egress on the correct interface which 192.168.10.7 is part of.
I found that the user did not have access to the correct subnet. Here is my packet monitor after fixing that.
It goes out (egress) on the correct interface X3, but looks like there is no response coming back from 192.168.10.7. There could be two reasons I can logically think of.
That is an industrial network with statically assigned IP addresses. None of the devices have a gateway assigned. Is it possible to connect without a gateway? I could assign an address range on the control network if that would allow communication.
A device has to have a gateway for layer-3 connections.
You might be able to do some funky ARP bridging or something, but that's not how I'd do it.