SSL VPN Connection Failure

Hello everyone,

Today I will share with one case about dealing with SSL VPN connection failure on USG6650.

Issue Description

When the SSL VPN of the USG6650 uses port 5000, the login page cannot be opened.

Software version: V500R001C60SPC500

Key configurations:

#

 v-gateway gateway 220.80.XX.219 port 5000 private

#

 nat server 1 protocol tcp global 220.80.XX.219 8080 inside 172.16.10.60 www

#

nat address-group shangwang 0

 mode no-pat global

 section 0 220.80.XX.219 220.80.XX.219

#

#****BEGIN***gateway**1****#

v-gateway gateway

 basic

  dns-server 202.102.192.68 

  ssl version tlsv10 tlsv11 tlsv12

  ssl timeout 5

  ssl lifecycle 1440

  ssl ciphersuit custom aes256-sha des-cbc3-sha aes128-sha

 service

  port-forwarding enable

  network-extension enable

  network-extension keep-alive enable

  network-extension keep-alive interval 120

  network-extension netpool 10.10.10.3 10.10.10.50 255.255.255.0

  netpool 10.10.10.3 default

  network-extension mode manual

  network-extension manual-route 10.10.10.0 255.255.255.0

 security

  policy-default-action permit vt-src-ip

  certification cert-anonymous cert-field user-filter subject cn group-filter subject cn

  certification cert-anonymous filter-policy permit-all

  certification cert-challenge cert-field user-filter subject cn

  certification user-cert-filter key-usage any

  public-user enable

  public-user default-login-number 50

 hostchecker

 cachecleaner

 role

 role default

  role default condition all

  role sslvpn network-extension enable

#****END****#

#

security-policy

 rule name policy_1

  source-zone trust

  destination-zone untrust

  action permit

 rule name policy_2

  source-zone untrust

  destination-zone trust

  action permit

 rule name policy_3

  source-zone trust

  destination-zone local

  action permit

 rule name policy_4

  source-zone local

  destination-zone untrust

  action permit

 rule name ssl_vpn

  source-zone untrust

  destination-zone local

  action permit

#

nat-policy

 rule name policy_nat_1

  source-zone trust

  egress-interface GigabitEthernet1/0/0

  action nat address-group shangwang

#

Handling Process

1. Traffic is permitted in the security policy. When an Internet address connects to the SSL VPN, check the sessions on the firewall. It is found that the destination address is translated into a private network address.

< USG6600> display firewall session table verbose destination global 220.80.XX.219 destination-port global 5000

 Current Total Sessions : 12

 tcp  VPN: public --> public  ID: a48f5af3589a097e75ac20054

 Zone: untrust --> trust  TTL: 00:00:10  Left: 00:00:06

 Recv Interface: GigabitEthernet1/0/0

 Interface: GigabitEthernet1/0/8  NextHop: 10.10.10.2  MAC: 60de-f340-4903

 <--packets: 1 bytes: 40 --> packets: 1 bytes: 52

 36.60.XX.201:23442 --> 220.80.XX.219:5000[172.16.10.60:5000] PolicyName: policy_2

 TCP State: close

 tcp  VPN: public --> public  ID: a58f5af6bf7381147f5ac20054

 Zone: untrust --> trust  TTL: 00:00:10  Left: 00:00:06

 Recv Interface: GigabitEthernet1/0/0

 Interface: GigabitEthernet1/0/8  NextHop: 10.10.10.2  MAC: 60de-f340-4903

 <--packets: 1 bytes: 40 --> packets: 1 bytes: 52

 36.60.XX.201:23438 --> 220.80.XX.219:5000[172.16.10.60:5000] PolicyName: policy_2

 TCP State: close

 tcp  VPN: public --> public  ID: a58f5af1dd0e0606b05ac20054

 Zone: untrust --> trust  TTL: 00:00:10  Left: 00:00:06

 Recv Interface: GigabitEthernet1/0/0

 Interface: GigabitEthernet1/0/8  NextHop: 10.10.10.2  MAC: 60de-f340-4903

 <--packets: 1 bytes: 40 --> packets: 1 bytes: 52

 36.60.XX.201:23440 --> 220.80.XX.219:5000[172.16.10.60:5000] PolicyName: policy_2

 TCP State: close

2. After the session is cleared, reconnect to the SSL VPN and check the session. It is found that the destination address is again translated. Check the server map table.

< USG6600> display firewall server-map ip 172.16.10.60

 Current Total Server-map: 2

 Type: No-Pat Reverse, ANY -> 202.80.XX.219[172.16.10.60], Zone:---

 Protocol: ANY, TTL:---, Left-Time:---, Pool: 0, Section: 0

 Vpn: public

 Type: No-Pat  172.16.10.60[202.80.XX.219] -> ANY, Zone:---

 Protocol: ANY, TTL:360, Left-Time:360, Pool: 0, Section: 0

 Vpn: public

3. A reverse server map entry with the type of No-PAT exists. When the NAT function is used, if the No-PAT parameter is configured, the device maps private IP addresses to public IP addresses in one-to-one mapping mode and does not perform port translation. All port numbers used by private IP addresses can be mapped to the port number used by the public address. Internet users can initiate connections to any port used by an intranet user.

#

nat address-group shangwang 0

 mode no-pat global

 section 0 220.80.XX.219 220.80.XX.219

#

4. Change the address pool to the PAT mode, clear the session and server map table, and reconnect to the SSL VPN. The issue is resolved.

[USG6600] nat address-group shangwang 0

[USG6600-address-group-shangwang] mode pat global

[USG6600-address-group-shangwang] quit

[USG6600] diagnose

[USG6600-diagnose] reset firewall server-map 172.16.10.60

Root Cause

When the address pool uses the No-PAT mode, all port numbers used by private IP addresses can be mapped to the port number used by the public address, and destination NAT is performed for the traffic accessing the SSL VPN.

That is all I want to share with you! Thank you!