VMware NSX

  • 1.  SSL VPN Plus unable to connect to gateway

    Posted Aug 15, 2021 11:29 AM
      |   view attached

    If this is not the proper board for this question, I apologize in advance.

    I am trying to set up SSL VPN Plus to connect from Ubuntu 18.04 client to Ubuntu 18.04 VM. I have set up the VM side, generated the installation package, downloaded through https://MYIP and installed on the client without errors. I have also checked that naclient and naclient_poll are running on the client, and that ssl-vpnplus is listening on the NSX Edge. However, the client gives Error: Unable to connect to gateway. I have the latest versions of TCL, TX, and NSS on the client (although it is possible that different versions are needed?) I have attached the auth.log and syslog entries from the client (log.zip).

    When I log on to the NSX Edge, there is nothing in show log about any attempts to connect or any errors.

    On my VM, none of the rsyslogs contain any information about the attempts, although any invalid suffixes to https://MYIP do show up in the nginx.log as reported by ssl-vpnplus.

    Any pointers would be welcome, since I am really stuck on this. Tech support from the provider has checked the IP configuration on Edge (NAT and firewall) and say that everything there is ok. Thank you for your attention.

    Attachment(s)

    zip
    log.zip   1 KB 1 version


  • 2.  RE: SSL VPN Plus unable to connect to gateway

    Posted Aug 16, 2021 06:30 AM

    Do you have Selinux or iptables enabled on the ubuntu VM?

    Try pining the edge and check if you have ICMP connectivity.
    If that is okay try doing a telnet to port  443 on the edge to check if the ports are open.



  • 3.  RE: SSL VPN Plus unable to connect to gateway

    Posted Aug 16, 2021 07:18 AM

    Thank you,  . I have iptables enabled and it currently has an empty rules table. SELinux is not enabled.

    I can ping the edge and SSH into it from the VM, but not from the outside.

    Also I am suspecting that tech support, even though they claim to have checked the IPs on the FW and NAT, did not. So my problem may be there, but I am stuck as to how to track it down.



  • 4.  RE: SSL VPN Plus unable to connect to gateway

    Posted Aug 16, 2021 09:21 AM

    Hi Jenya, can you please try to accept the VPN SSL certificate before trying to establish a connection

    Install SSL VPN-Plus Client on a Remote Linux Site (vmware.com)

    Just browse to the NSX edge with firefox and add the certificate to a trusted store.




  • 5.  RE: SSL VPN Plus unable to connect to gateway

    Posted Aug 16, 2021 12:39 PM

    Thank you,  . Unfortunately the Edge is not available from the browser, only from inside Cloud Director. The only thing that I have been able to reach from outside is the URL for downloading the SSL VPN Plus installation package.

    The configuration problem is the following:

    My external IP address is 89.something. Edge is on 10.something. Of course 10.something is only available from inside, so from the VM itself I can SSH in and use the ESX commands (e.g., show log reverse). Tech support told me that I can open my VM to SSH from outside if I set up SSL VPN Plus. So I was able to get it to show up from https://89.something:port and download the installation package. And it was there in Firefox that I accepted the certificate.

    The thing that really bewilders me is that the automatically-generated rules for sslvpn do not reference 89.something at all. For example, FW has

    sslvpn source:any dest:10.something service:tcp:port:any accept

    and NAT has

    sslvpn DNAT original:10.something:port translated:10.something:port

    Maybe this is correct behavior, that sslvpn uses Edge mapped to 89.something and all of my other rules need to be 89.something mapped to 192.something for my VM. But to be honest, I have lost all faith in the tech support people, who claim to have checked this... so for this reason I am grateful to get getting intelligent questions and suggestions from you. 



  • 6.  RE: SSL VPN Plus unable to connect to gateway

    Posted Aug 24, 2021 06:59 AM

    Hey  hope you are doing fine.

    I'm not sure I'm understanding properly so I did a doodle of what is what you are trying to accomplish

    nachogonzalez_0-1629788038236.png



    You are trying to log in from the Linux Client machine (left) to the ubuntu VM with an IP on the 10.X.X.X range on the right over the NSX Edge SSL VPN client.
    Is this right?

    In  case it is:

    - If you open NSX edge public IP (89.X.X.X) on a browser on the Ubuntu Client VM (Left) are you able to see the SSL VPN Client webpage? are you able to download the client?
    - If you try to ping the NSX Edge IP, are you able to reach it?
    - If you try a telnet / curl to port 443, does it establish a connection?
    - do you have Firewall enabled on the NSX Edge?
    - Do you have management of the NSX edge? If so? Can you please share the SSL VPN configuration details, Nat and interface details (of course, blurring the sensitive data). 

     



  • 7.  RE: SSL VPN Plus unable to connect to gateway

    Posted Aug 16, 2021 07:08 AM

    At the very least I would be grateful for a detailed list of the error codes from SSL VPN Plus and what exactly causes them. I have seen 35 and 36 so far as I tweak various entries in the NAT and FW.