SSL VPN - Connection Issues
Hi there, we are having trouble with both Netextender and Mobile Connect, they connect to our SSL VPN once, then subsequent attempts to re-connect (after disconnecting) fail. Netextender with the error Verifying user…authentication failed! and Mobile Connect with the error Failed to fetch the domain list from server. It doesn't seem to have any real repeatable behavior and because it connects and operates fine once, it seems like some sort of timeout/refresh issue in the Sonicwall rather than a configuration issue?
We are using a TZ300 router on FW 6.5.4.5-53n.
Due to the Covid crisis we have been trying to connect users to our network from their home PC's which aren't joined to our domain. I'm thinking that possibly changing User Authentication Method from LDAP + Local Users to Local Users only may help? Any other ideas to make it a little more reliable, please?
Answers
Hello @kab343,
Can you please help me with the below:
Thanks
Knowledge Management Senior Analyst at SonicWall.
The previous version of firmware was 6.5.4.4-44n. We did not seem to have the same issues connecting to the the VPN. But I from what I understand we can't 'rollback' to older firmware.
We are using VLAN on the WAN interface (X3). X3 WAN is 0.0.0.0, the X3:V10 interface has an IP address. We also have WAN on X1, that has an IP address also.
I logged out of a successful Netextender VPN session at 10:57:42, then tried to login again. All logins failed until I reset my NIC, then it successfully connected at 11:05:20. I've attached two screenshots of the logs. I can send full logs to you privately if required.
Hi @KaranM, and ideas on what else I could try? I have a support case logged with Sonicwall also, Case 43357852.
Hello @kab343,
Hope you had an awesome Weekend!
Thanks for providing the information, I am glad that you were able to get in contact with the support team and they will be more than happy to assist you. Having said that I would request you to try the following and test
Thanks
Knowledge Management Senior Analyst at SonicWall.
Dear all
I have the exact same problem with the exact same error message. Even the firmware is absolutely identical. Could you maybe indicate what support told you to do and how you fixed the issue?
Thank you and best regards.
Hi @VOGELARCHITEKTEN,
Hope you are safe and well.
Could you please help me with answers to below questions in-order to understand the issue behavior?
Also, please help me with below debug files to narrow down the issue.
To download the firewall logs,
Navigate to Investigate | Logs | Event Logs, set the Show field to "All Entries" and click txt or csv button located next to Log Events Since drop down menu.
Regards,
Saravanan V
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Dear Saravanan
Thank you for your help. Regarding your questions, let me answer them below:
You do have the screenshot above from user kab343. It's the same issue.
Hi @VogelArchitekten,
The only thing that fixed it for me was downgrading to 6.5.4.4-44n.
I spent a while with support trying to fix it, but nothing they tried worked. The last I heard they suspected a bug in the code, but I've never heard if it got resolved.
I'll warn you that it was not easy to downgrade at all, but since then we have had no issues connecting to the VPN.
Hello VOGELARCHITEKTEN,
Thank you so much for your answers.
I took sometime to research on this matter and came to know that, the issue is specific to firmware version 6.5.4.5 in which a bug is already filed with our Engineering team where patched firmware's are available for different SonicWall models to address the issue.
There is also a probable workaround for this scenario.
Please ensure to take SonicWall configuration / settings backup and try this out. Please follow instructions from below web-link to save a copy of the SonicWall configuration.
Workaround:
Assign a dummy IP address on the X1 WAN interface if its left unassigned. The authentication should start working.
If you are looking for the patched firmware for your SonicWall model, then please file a support case with our technical support team and contact for assistance on the same.
Please feel free to let me know if any questions or clarification.
Regards
Saravanan V
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Dear Saravanan, dear kab343
Thank you for your feedback.
I suspect that I know what the issue is and Saravanan you seem to be correct with the dummy IP address on the X1 interface. Although I'm a bit worried to change the parent interface from unassigned to static because there are several virtual interfaces connected to this parent interface - including the local LAN zone. I worry that I will shut down access to the admin-portal by changing this.
So the simpler solution would be to install the patched firmware and check if it's fixed. The device is under support so that shouldn't be a problem.
Thank you again for your support guys and have a good day.
Hello @VOGELARCHITEKTEN,
You are Most Welcome.
I'm glad to hear that you are all set after applying the firmware patch. Good that you could get the firmware patch from our Support Team.
Thank you for Choosing SonicWall Communities.
Have a good one!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi Saravanan
I'd like to add a correction: Support would not send me the patch. But the helped me sorting the issue:
By setting a dummy IP to the parent interface SSL VPN connections started to work again! So you were right. Also by changing the parent interface no settings regarding the virtual interface were affected.
For anyone finding this issue: The parent interface needs to have a static IP set and can not be in "unassigned" mode. Please find further informations in attached screenshot.
Thanks again everyone and best regards.
Hi @VOGELARCHITEKTEN,
Thanks for correcting my previous comment and for the feedback in detail.
This post will definitely give some insights to people experiencing similar issues.
Stay Safe. Thanks again and have a good one!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
This was an interesting read. I wasn't sure that the interface has to absolutely be assigned even if it's a dummy address.
Thanks @VogelArchitekten
Shipra Sahu
Technical Support Advisor, Premier Services
Thanks @VogelArchitekten for the intresting information!!
Nevyaditha P
Technical Support Advisor, Premier Services
I have what I think is a similar issue:
Using X16 for WAN
I setup a dummy connection on X1 (the original WAN port for my device)
Mac clients using 365Connect are able to connect
Sonicwall 240 are able to connect over Internet
Windows 10 NX/MC client (a new deployment) can't connect using Windows VPN or Sonicwall Clients
User: User Settings
This represents a domain user
Name: AAA.BBB@XXX.com
Domain: XXX.com
One-time password method: Disabled
Account lifetime: Never expires
SSL VPN Settings:
SSL VPN Port:4443
Certificate Selection: Use Selfsigned Certificate
User Domain: XXX.com
Enable Web Management over SSL VPN: Enabled
Enable SSH Management over SSL VPN: Disabled
Enable Compression Control Protocol(CCP) for SSL VPN Connections:mEnabled
Netextender Settings:
Server: X16 adress:4443
Username: AAA.BBB@XXX.com
Password: (same as Local User)
Domain: XXX.com
This results in Perparing/Verifying User/...authentication failed!
Windows VPN using Sonicwall Mobile Connect
Server Name X16 address:4443
This results in "The network connection could not be found."
What am I doing wrong?
@MWATech
Check the user has enabled the SSL VPN service as well as the Zones-WAN- Make sure the enabled the "Enable SSL VPN Access".