Troubleshooting

This section lists several issues that are frequently encountered when the SSL VPN is used. If the issue you encounter cannot be found in this chapter, we recommend that you refer to the Stormshield knowledge base (authentication required).

A user is unable to log in and the message "Client workstation compliance verification failed" appears

• Situation: When a user attempts to connect, the SSL VPN tunnel fails to set up and the message "Client workstation compliance verification failed" appears on the user's Stormshield SSL VPN client.

• Cause: The client workstation that was used does not comply with all the criteria defined in the client workstation verification policy (ZTNA).
  

• Solutions:

  • Check for non-compliant criteria by referring to Viewing logs on VPN tunnel events, then rectify the compliance of the client workstation.

  • Check the configuration of the client workstation verification policy by referring to the section Configuring client workstation verification (ZTNA).

An internal resource cannot be accessed over the SSL VPN tunnel

• Situation: The SSL VPN tunnel has been set up, but an internal resource cannot be accessed.

• Cause: Either the firewall’s filter policy is blocking access to this resource or the resource is no longer accessible. There may also be other causes for this situation.
  

• Solutions:

  • On the SNS firewall, temporarily enable Advanced logging in the rule regarding the traffic in question to collect logs (in Configuration > Security policy > Filter - NAT > Filtering), then in the logs, check whether the rule applies to the traffic (in Monitoring > Logs - Audit logs > Filtering).

  • Ensure that the requested resource is in fact physically available.

  • Clear the workstation's ARP cache by running the command arp -d * in a console.

A warning message indicates that LZ4 compression is obsolete

• Situation: In the web administration interface of an SNS firewall in version 4.8.5 or higher, if the LZ4 compression feature is enabled, a warning message automatically appears in the SSL VPN module.

• Cause: The LZ4 compression feature is obsolete, and we recommend disabling it
  

• Solution: In the warning window, accept the suggestion to disable the feature. If you have ignored this warning, a message will continue to be displayed until this feature is disabled. To disable it, use the following CLI serverd commands:

  CONFIG OPENVPN UPDATE compress=0
  CONFIG OPENVPN ACTIVATE