Got it

SSL VPN Connection Failure

Latest reply: Jul 1, 2020 23:05:40 228 4 1 0

Hello everyone,

Today I will share with one case about dealing with SSL VPN connection failure on USG6650.

Issue Description

When the SSL VPN of the USG6650 uses port 5000, the login page cannot be opened.

Software version: V500R001C60SPC500

Key configurations:

#

 v-gateway gateway 220.80.XX.219 port 5000 private

#

 nat server 1 protocol tcp global 220.80.XX.219 8080 inside 172.16.10.60 www

#

nat address-group shangwang 0

 mode no-pat global

 section 0 220.80.XX.219 220.80.XX.219

#

#****BEGIN***gateway**1****#

v-gateway gateway

 basic

  dns-server 202.102.192.68 

  ssl version tlsv10 tlsv11 tlsv12

  ssl timeout 5

  ssl lifecycle 1440

  ssl ciphersuit custom aes256-sha des-cbc3-sha aes128-sha

 service

  port-forwarding enable

  network-extension enable

  network-extension keep-alive enable

  network-extension keep-alive interval 120

  network-extension netpool 10.10.10.3 10.10.10.50 255.255.255.0

  netpool 10.10.10.3 default

  network-extension mode manual

  network-extension manual-route 10.10.10.0 255.255.255.0

 security

  policy-default-action permit vt-src-ip

  certification cert-anonymous cert-field user-filter subject cn group-filter subject cn

  certification cert-anonymous filter-policy permit-all

  certification cert-challenge cert-field user-filter subject cn

  certification user-cert-filter key-usage any

  public-user enable

  public-user default-login-number 50

 hostchecker

 cachecleaner

 role

 role default

  role default condition all

  role sslvpn network-extension enable

#****END****#

#

security-policy

 rule name policy_1

  source-zone trust

  destination-zone untrust

  action permit

 rule name policy_2

  source-zone untrust

  destination-zone trust

  action permit

 rule name policy_3

  source-zone trust

  destination-zone local

  action permit

 rule name policy_4

  source-zone local

  destination-zone untrust

  action permit

 rule name ssl_vpn

  source-zone untrust

  destination-zone local

  action permit

#

nat-policy

 rule name policy_nat_1

  source-zone trust

  egress-interface GigabitEthernet1/0/0

  action nat address-group shangwang

#

Handling Process

1. Traffic is permitted in the security policy. When an Internet address connects to the SSL VPN, check the sessions on the firewall. It is found that the destination address is translated into a private network address.

< USG6600> display firewall session table verbose destination global 220.80.XX.219 destination-port global 5000

 Current Total Sessions : 12

 tcp  VPN: public --> public  ID: a48f5af3589a097e75ac20054

 Zone: untrust --> trust  TTL: 00:00:10  Left: 00:00:06

 Recv Interface: GigabitEthernet1/0/0

 Interface: GigabitEthernet1/0/8  NextHop: 10.10.10.2  MAC: 60de-f340-4903

 <--packets: 1 bytes: 40 --> packets: 1 bytes: 52

 36.60.XX.201:23442 --> 220.80.XX.219:5000[172.16.10.60:5000] PolicyName: policy_2

 TCP State: close

 tcp  VPN: public --> public  ID: a58f5af6bf7381147f5ac20054

 Zone: untrust --> trust  TTL: 00:00:10  Left: 00:00:06

 Recv Interface: GigabitEthernet1/0/0

 Interface: GigabitEthernet1/0/8  NextHop: 10.10.10.2  MAC: 60de-f340-4903

 <--packets: 1 bytes: 40 --> packets: 1 bytes: 52

 36.60.XX.201:23438 --> 220.80.XX.219:5000[172.16.10.60:5000] PolicyName: policy_2

 TCP State: close

 tcp  VPN: public --> public  ID: a58f5af1dd0e0606b05ac20054

 Zone: untrust --> trust  TTL: 00:00:10  Left: 00:00:06

 Recv Interface: GigabitEthernet1/0/0

 Interface: GigabitEthernet1/0/8  NextHop: 10.10.10.2  MAC: 60de-f340-4903

 <--packets: 1 bytes: 40 --> packets: 1 bytes: 52

 36.60.XX.201:23440 --> 220.80.XX.219:5000[172.16.10.60:5000] PolicyName: policy_2

 TCP State: close

2. After the session is cleared, reconnect to the SSL VPN and check the session. It is found that the destination address is again translated. Check the server map table.

< USG6600> display firewall server-map ip 172.16.10.60

 Current Total Server-map: 2

 Type: No-Pat Reverse, ANY -> 202.80.XX.219[172.16.10.60], Zone:---

 Protocol: ANY, TTL:---, Left-Time:---, Pool: 0, Section: 0

 Vpn: public

 Type: No-Pat  172.16.10.60[202.80.XX.219] -> ANY, Zone:---

 Protocol: ANY, TTL:360, Left-Time:360, Pool: 0, Section: 0

 Vpn: public

3. A reverse server map entry with the type of No-PAT exists. When the NAT function is used, if the No-PAT parameter is configured, the device maps private IP addresses to public IP addresses in one-to-one mapping mode and does not perform port translation. All port numbers used by private IP addresses can be mapped to the port number used by the public address. Internet users can initiate connections to any port used by an intranet user.

#

nat address-group shangwang 0

 mode no-pat global

 section 0 220.80.XX.219 220.80.XX.219

#

4. Change the address pool to the PAT mode, clear the session and server map table, and reconnect to the SSL VPN. The issue is resolved.

[USG6600] nat address-group shangwang 0

[USG6600-address-group-shangwang] mode pat global

[USG6600-address-group-shangwang] quit

[USG6600] diagnose

[USG6600-diagnose] reset firewall server-map 172.16.10.60

Root Cause

When the address pool uses the No-PAT mode, all port numbers used by private IP addresses can be mapped to the port number used by the public address, and destination NAT is performed for the traffic accessing the SSL VPN.

That is all I want to share with you! Thank you!


  • x
  • convention:

Created Jun 30, 2020 22:11:05 Helpful(1) Helpful(1)

thanks for sharing!
View more
  • x
  • convention:

Created Jun 30, 2020 22:11:14 Helpful(1) Helpful(1)

excellent
View more
  • x
  • convention:

Created Jul 1, 2020 23:05:32 Helpful(2) Helpful(2)

think is great
View more
  • x
  • convention:

Created Jul 1, 2020 23:05:40 Helpful(2) Helpful(2)

well explained
View more
  • x
  • convention:

Comment

Comment
You need to log in to comment to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.