Troubleshooting

This chapter covers some of the issues that occur most frequently when using the Stormshield SSL VPN client. If the issue you encounter cannot be found in this chapter, we recommend that you refer to the Stormshield knowledge base.

The tunnel would not set up and the message "The connection was denied as the user or workstation used does not comply with the policy defined on the firewall" appears.

The tunnel won’t set up and the message "Could not connect to firewall: Failed to resolve UTM name" appears.

  • Situation: During the attempt to connect to the SSL VPN, the tunnel won’t set up and the message "Could not connect to firewall: Failed to resolve UTM name" appears.

  • Cause: The address entered is incorrect or unreachable.

  • Solution: Check that the firewall address entered is correct.

The tunnel won’t set up and the message "Login or password incorrect" appears.

  • Situation: During the attempt to connect to the SSL VPN, the tunnel won’t set up and the message "Could not connect to firewall: Failed to resolve UTM name" appears.

  • Cause: Either the user's password is incorrect or the user does not have sufficient privileges to authenticate on the SSL VPN.

  • Solutions:

    • Check that the login and password are correct.

    • On the SNS firewall, check that the SSL VPN policy has been set to Allow in Configuration > Users > Access privileges, Default access tab, and that the user or user group in question is allowed to set up SSL VPN tunnels in Configuration > Users > Access privileges, Detailed access tab

The tunnel won’t set up and the message "Error while connecting to the service: Connection refused" appears.

  • Situation: During the attempt to connect to the SSL VPN, the tunnel won’t set up and the message "Error while connecting to the service: Connection refused" appears.

  • Cause: The Stormshield SSL OpenVPN Service and Stormshield SSL VPN Service services are not running or are not working.

  • Solution: Ensure that the Windows services have been started up on the workstation, or try to restart them.

The tunnel won’t set up and logs contain the message "Route: Waiting for TUN/TAP interface to come up...".

  • Situation: During the attempt to connect to the SSL VPN, the tunnel won’t set up and the message "Error while connecting to the service: Connection refused" appears in logs.

  • Cause: An issue with the TAP-Windows Adapter interface prevents the VPN tunnel from setting up.

  • Solution: In the Windows Network and Sharing Center, click on Change adapter settings, right-click on the TAP-Windows Adapter interface and click on Diagnose.

A corporate resource cannot be accessed over the VPN tunnel

  • Situation: The tunnel has been set up, but a corporate resource cannot be accessed.

  • Cause: Either the firewall’s filter policy is blocking access to this resource or the resource is no longer accessible. There may also be other causes for this situation.

  • Solutions:

    • On the SNS firewall, temporarily enable Advanced logging in the rule regarding the traffic in question to collect logs (in Configuration > Security policy > Filter - NAT > Filtering), then in the logs, check whether the rule applies to the traffic (in Monitoring > Logs - Audit logs > Filtering),

    • Ensure that the requested resource is in fact physically available.

    • Clear the workstation's ARP cache by running the command arp -d * in a console.

The VPN tunnel shuts down whenever very large files are sent

  • Situation: Whenever a large file is sent, the VPN tunnel shuts down.

  • Cause: The file sent is too large.

  • Solution: Send the file over a protocol, such as FTP, that uses smaller blocks, or set up the tunnel over UDP.