Troubleshooting
This chapter covers some of the issues that occur most frequently when using the Stormshield SSL VPN client. If the issue you encounter cannot be found in this chapter, we recommend that you refer to the Stormshield knowledge base.
A proxy configuration has been defined on the workstation and the Stormshield SSL VPN client is unable to reach the SNS firewall
-
Situation: During an attempt to connect to the SSL VPN on a workstation that has a proxy connection, the tunnel failed to set up.
-
Cause: Direct HTTPS access is not allowed without using the proxy on the workstation. By default, HTTPS requests to the SNS firewall, notably to download the VPN configuration, are directly submitted by the Stormshield SSL VPN client without going through the proxy.
NOTE
Up until version 4.0.9, version 4.0 of the Stormshield SSL VPN client used the proxy configuration that was defined on the workstation to contact the SNS firewalls in HTTPS. This behavior has been changed in version 4.0.10. -
Solution: Change the http_use_default_proxy value to 1 in the registry base under the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StormshieldSSLVPNService\Parameters
When the SSL VPN tunnel is being set up for the first time, users have to approve the certificate presented by the SNS firewall
-
Situation: When the SSL VPN tunnel is being set up for the first time, users have to approve the certificate presented by the SNS firewall, even though the certification has been certified by a certification authority found in the users' certificate store.
-
Cause: The root certificate authority is found only in users' certificate store, and is not in the certificate store on the workstation. By default, the certificate store on the workstation is used when the Stormshield SSL VPN client verifies the certificate.
-
Solution: Change the http_request_as_user value to 1 in the registry base under the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StormshieldSSLVPNService\Parameters
The tunnel would not set up and the message "The connection was denied as the user or workstation used does not comply with the policy defined on the firewall" appears.
-
Situation: During the attempt to connect to the SSL VPN, the tunnel would not set up and the message "The connection was denied as the user or workstation used does not comply with the policy defined on the firewall" appears.
-
Cause: The client workstation that was used does not comply with all the criteria defined in the policy verifying the compliance of client workstations and users (ZTNA).
-
Solutions:
-
Check which criteria have not been met by referring to the section Displaying VPN logs (SSL and IPsec) and identifying the verification criteria that have not been met on a client workstation, then rectify the configuration of the client workstation in question,
-
Check the configuration of the policy verifying the compliance of client workstations by referring to the section Configuring the policy verifying the compliance of client workstations (in ZTNA).
-
The tunnel won’t set up and the message "Could not connect to firewall: Failed to resolve UTM name" appears.
-
Situation: During the attempt to connect to the SSL VPN, the tunnel will not set up and the message "Could not connect to firewall: Failed to resolve UTM name" appears.
-
Cause: The address entered is incorrect or unreachable.
-
Solution: Check that the firewall address entered is correct and can be reached.
The tunnel won’t set up and the message "Login or password incorrect" appears.
-
Situation: During the attempt to connect to the SSL VPN, the tunnel won’t set up and the message "Could not connect to firewall: Failed to resolve UTM name" appears.
-
Cause: Either the user's password is incorrect or the user does not have sufficient privileges to authenticate on the SSL VPN.
-
Solutions:
-
Check that the login and password are correct.
-
On the SNS firewall, check that the SSL VPN policy has been set to Allow in Configuration > Users > Access privileges, Default access tab, and that the user or user group in question is allowed to set up SSL VPN tunnels in Configuration > Users > Access privileges, Detailed access tab
-
The tunnel won’t set up and the message "Error while connecting to the service: Connection refused" appears.
-
Situation: During the attempt to connect to the SSL VPN, the tunnel won’t set up and the message "Error while connecting to the service: Connection refused" appears.
-
Cause: The Stormshield SSL OpenVPN Service and Stormshield SSL VPN Service services are not running or are not working.
-
Solution: Ensure that the Windows services have been started up on the workstation, or try to restart them.
The tunnel won’t set up and logs contain the message "Route: Waiting for TUN/TAP interface to come up...".
-
Situation: During the attempt to connect to the SSL VPN, the tunnel won’t set up and the message "Error while connecting to the service: Connection refused" appears in logs.
-
Cause: An issue with the TAP-Windows Adapter interface prevents the VPN tunnel from setting up.
-
Solution: In the Windows Network and Sharing Center, click on Change adapter settings, right-click on the TAP-Windows Adapter interface and click on Diagnose.
A corporate resource cannot be accessed over the VPN tunnel
-
Situation: The tunnel has been set up, but a corporate resource cannot be accessed.
-
Cause: Either the firewall’s filter policy is blocking access to this resource or the resource is no longer accessible. There may also be other causes for this situation.
-
Solutions:
-
On the SNS firewall, temporarily enable Advanced logging in the rule regarding the traffic in question to collect logs (in Configuration > Security policy > Filter - NAT > Filtering), then in the logs, check whether the rule applies to the traffic (in Monitoring > Logs - Audit logs > Filtering),
-
Ensure that the requested resource is in fact physically available.
-
Clear the workstation's ARP cache by running the command arp -d * in a console.
-
The VPN tunnel shuts down whenever very large files are sent
-
Situation: Whenever a large file is sent, the VPN tunnel shuts down.
-
Cause: The file sent is too large.
-
Solution: Send the file over a protocol, such as FTP, that uses smaller blocks, or set up the tunnel over UDP.