Ewon failing VPN connection

deryck_hms · March 28, 2019, 8:17pm

@anonfsutvmpw
Hello Eric,

Maribel asked me to reach out to you regarding your ewon not passing the VPN connection test. Based on the screen shot shared it looks like it is failing the last step of the wizard. With the real time logs showing a Sigterm Hard error message. This typically indicates that the eWon’s VPN is getting blocked by the companys fire wall.

You will need to reach out to the IT department in charge of the Firewall and ask them to unblock OpenVPN connections though the firewall for the ewon to establish a VPN connection to our servers.

Let me know if you have any questions.

Deryck

anonfsutvmpw · March 28, 2019, 10:56pm

Yes but I have done this, I lifted a ticket to solve this issue

anonfsutvmpw · March 29, 2019, 2:40am

Yes but I have done this, I lifted a ticket to solve this issue but it’s not working, what more to do?

Could you review the Firewall requested attached on the email? It was ok or no? Is something wrong?

anonfsutvmpw · March 29, 2019, 3:30am

And without force TCP

anonfsutvmpw · March 29, 2019, 3:26am

With TCP force option, I get the following error: “FAILED: VPN connection timeout”

anonfsutvmpw · March 29, 2019, 3:31am

What is your time zone?

anonfsutvmpw · March 29, 2019, 1:45pm

Hello Derick and Maribel,

Could you please help me with the correct destinations IP?

My IT guys are telling me the following:

Hi,

The issue is that you have the wrong/missing destination IPs in the FWRR, please confirm the destination IPs with the vendor and update the FWRR accordingly.

Regards,

Florent

deryck_hms · March 29, 2019, 4:17pm

Hello Florent,

When we see only the VPN failing is the step in the test where the VPN connection is opened but after we tested if you can reach the VPN server. This typically mean the Firewall is detecting a VPN connection and killing the internet connection for the device. In the previous HTTP direct connection test we are checking if the IP addresses can be reached. If you can get me a back up with support files I can check the log to see if this might be the case.

What i suspect is happening is there is a process on the firewall looking for VPN traffic and preventing it. This is different then opening a port.

You can check out the following post for more info on the hostnames for our servers along with the IP addresses they resolve to. Talk2M Server Addresses & Hostnames

Deryck

anonfsutvmpw · April 2, 2019, 2:25pm

Hello Maribel and Derick, please help!

The following message was the latest answer of my IT guys, could you please review it and tell me what’s wrong?:

My previous answer still stands:

“The issue is that you have the wrong/missing destination IPs in the FWRR, please confirm the destination IPs with the vendor and update the FWRR accordingly.”

Not sure what you are waiting from me, the requirements need to be confirmed by you, not me, then update the missing IPs in the FWRR as said earlier.

NB: “ What i suspect is happening is there is a process on the firewall looking for VPN traffic and preventing it. This is different then opening a port.”

è
This is wrong

NB2: 92.52.111.210 as.pro.talk2m.com seems to use udp-1194, not only HTTPS.

If you require more assistance for troubleshooting you need to open a SNOW ticket with the service desk.

Regards,

deryck_hms · April 3, 2019, 3:01pm

Hello,

I am double checking the ports used for the access server, 92.52.111.210 as.pro.talk2m.com, The ewon should only be connecting on 443 but 1194 is the UDP port that we use to connect to the VPN server. Would the IT team have issues opening 1194 to that device too?

One thing you could try is running the VPN setup wizard you can force it to connect using TCP. To do this on the second step of the VPN wizard check the box to view advance parameter and then check the force tcp option. This should have the device only use tcp connection over 443 only.

Best regards,
Deryck

anonfsutvmpw · April 2, 2019, 9:41pm

Hello HMS team, please help!

anonfsutvmpw · April 3, 2019, 4:33pm

Good morning,

Unfortunately I have tried this: Forcing TCP doesn’t work as you can see on attached image

deryck_hms · April 4, 2019, 2:48pm

Hello,

I have verified that the talk2m ports and addresses document is missing that as.pro.talk2m.com makes a connection over port 1194. I recommend having them add 1194 to this hostname/IP. Forcing TCP should be skipping this test. based off of this image we can see the udp test is being skipped and only the VPN test is failing. When it tests the VPN connection it is using the previously tested connection but now opening a VPN tunnel. If you are failing at this step VPN traffic is getting blocked by the IT department. They might have a particular process in place blocking traffic that looks like a VPN connection. You need them to verify that they are not blocking openVPN traffic. I have seen this before with sonicwall Firewalls, where the ports are open but other settings are blocking the openVPN traffic.

Deryck