SSL VPN Errors in Astaro Security Gateway

  • Article ID: 115119
  • Rating:
  • 3 customers rated this article 2.7 out of 6
  • Updated: 31 May 2012

Known to apply to the following Sophos product(s) and version(s)
UTM Gateway

Operating systems
v7 + v8

Symptom:

After creating a SSL vpn in webadmin and downloading the SSL client from the End user portal, the SSL client will not connect. To check the connection errors please review the connection log on the client side for errors.
Cause:
DNS resolution of ASG hostname Client will not connect, and checking the View log option on your SSL client shows line:
Thu Feb 15 23:45:12 2007 RESOLVE: Cannot resolve host address: HOST.DOMAIN.COM: [HOST_NOT_FOUND]. The specified host is unknown. This error is indicating that the system is trying to resolve the hostname HOST.DOMAIN.COM of the ASG device. The ASG name may not be resolvable by public DNS as this is not a public DNS name.
1. To correct this goto Remote Access
2. Select the Advanced Tab
3. Under Hostname change the Override hostname to be a publicly resolvable DNS name or IP address.
4. Once complete you will need to download the updated SSL client info from the End User portal
5. Goto the end user portal
6. Select Remote Access -> SSL-VPN
7. Select Click here to download an installation file which updates all keys and configuration on your system, without re-installing the client software (Windows 2000/XP)
8. Open the file and run setup

After logging into the end user portal and selecting download of the SSL client a brief popup occurs and then disappears.

Resolution:

The download window not appearing is a security setting in IE7 for Automatic Prompting for File Downloads that will need to be changed with the following:

In IE7:

Goto Tools -> Internet Options
> Security Tab
> Custom Level
> Under Downloads Select Enable for Automatic prompting for file downloads > SSL client connects but no traffic routes / Windows Vista error > After connecting with the ssl client the connection status shows green. However traffic flow doesn't appear to occur. This is due to the route commands not having administrative priveleges on windows systems such as Windows Vista or XP when run as a limited user account.
In the Astaro SSL client log the following error regarding routes will be shown:

STEP ONE
In Wordpad, open the following file: c:\Program Files\Astaro\Astaro SSL VPN Client\config\fw.misti.com.username.opvn (this may show as fw.misti.com.username) Then, go to the bottom of the file and add the following lines: route-method exe route-delay 2

STEP TWO
Next up is to change the Astaro VPN client to always run as an administrator. Go to this location with Windows Explorer:
c:\Program Files\Astaro\Astaro SSL VPN Client\bin\ Highlight the file openvpn-gui.exe and then right-click. Choose properties. Click the "Compatibility" tab and check the checkbox "Run this program as an administrator" and click ok.

STEP THREE
We now need to remove the Astaro VPN Client from startup, otherwise it will be blocked by Windows Vista because of "Administrative Behavior". #Click START -> RUN and type msconfig and then click OPEN #Click the STARTUP Tab and uncheck Open-VPn-GUI #When you restart your PC again, it will ask if you want to run msconfig again, just check the appropriate checkboxes so it will not do that in the future.

STEP FOUR
Click START -> ALL PROGRAMS -> ASTARO SSL VPN -> ASTARO VPN Right click the traffic light and choose connect. After authenticating, you should be able to access network resources Standard Workaround for Various Issues
Support has found that when DNS is not working properly or routing is not stable over the tunnel, adding the following to the default config works to fix most issues.  Note: Commands are given for convenience.  Please proceed with caution as these changes may not be supported if Astaro Support is contacted. If you have any questions, please contact Astaro Support.

V7:
vim /var/openvpn/client/client.ovpn-default
V8:
vim /var/confd/res/openvpn/client.ovpn-default
2. Put vim in edit mode by pressing the "insert" key (or "a" key)
3. Add the following lines to the end of the file DNS and routing workarounds route-method exe route-delay 2
4. Save the file, with vim, press "escape" to take the editor out of edit mode. To save (write) the file and quit type ":wq" and press enter
5. Redownload the configuration from the end user portal for any affected users. Starting a batch file after the connection is established.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments