SSL-VPN Tunnel not Establishing

5 out Of 5 Stars

1 rating

5 Stars		100%
4 Stars		0%
3 Stars		0%
2 Stars		0%
1 Stars		0%

Verify if the time is in sync on both network appliance endpoints of the tunnel.
Check if the IP addresses used are part of spoof addresses when DDOS is enabled on the WAN Interface
- This use case is when the network appliance WANs are on a private address space of IP address and not directly facing the Internet. If so, navigate to the Security->DDOS page and remove the private address range from spoof address list.
Check the Remote IP addresses are reachable.
- Use the ping option on the Utility page to verify the same
Check the ports used for the Tunnel creation are opened.
- In a use-case where there is a router in front of the network appliance, a port forward configuration should be enabled on that router to direct the ports to the respective WAN on the network appliance. The firewall configuration on that router should also open up the ports.
SSL VPN Server side (DC) should have x509 Server certificate and the Branch side (BR) should have x509 client certificate
Make sure the certificates have not expired
- Verify the Status by navigating to the Security->x509 page for the respective certificates used.
If using custom HOST certificates, make sure the CA certificate who has issued the HOST certificates is imported on both ends.
Encryption and Compression option should match on both endpoints.

Check the logs for certificate verification failure under syslog and respective tunnel from director UI.

EC-System-Logs-SYSLOG-SSLVPN
    Mar  1 05:06:07 KETTOPESK VPN00_L2L[11965]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=US, ST=Georgia, L=Norcross, O=Amzetta Technologies LLC, OU=CPE Unit, CN=server01, [email protected]
    Mar  1 05:06:07 KETTOPESK VPN00_L2L[11965]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
    Mar  1 05:06:07 KETTOPESK VPN00_L2L[11965]: TLS_ERROR: BIO read tls_read_plaintext error
    Mar  1 05:06:07 KETTOPESK VPN00_L2L[11965]: TLS Error: TLS object -> incoming plaintext read error
    Mar  1 05:06:07 KETTOPESK VPN00_L2L[11965]: TLS Error: TLS handshake failed

Verify if all LAN subnets are reachable from the network appliance.

Was this article helpful?

5 out Of 5 Stars

1 rating

5 Stars		100%
4 Stars		0%
3 Stars		0%
2 Stars		0%
1 Stars		0%

Solutions by Service chevron

Solutions by Industry chevron

Digital Workspaces chevron View All Products

zWAN

Deployment

Getting Started

Introduction

Configuration

Installation Guides

POC Evaluation

Support

Administration

Device Management

Analytics

Features

System

Analytics

User Management

Configuration

Network Appliances

z25

Troubleshooting

Troubleshooting

Frequently Asked Questions

zTC

Linux v1.1

Windows v1.1

StorTrends

Best Practice Guides

Configuration Guides

zPortal

Maintenance

Monitoring

Desktops

Client Assignment Operations

Desktop Details Dialog

Desktop Pool Related Operations

Power Operations On Desktops

UI Operations in Desktops VMs Tab

Viewing Desktop Information

Endpoints

Actions

Sessions

Prepare to Install

Quick Configuration

Workspace

Applications

Manage Applications

Publish Applications

Connection Profiles

Desktop Pools

Add Desktop Pool

Delete Desktop Pool

Desktop Pool Categorization

Desktop Pools Page

Edit Desktop Pool

Organizations

zPortal Installation

zGateway

Administration

Deployment

Installation

Clustering

Quick Configuration

SSL-VPN Tunnel not Establishing

5 out Of 5 Stars

5 out Of 5 Stars

How can we improve this article?

Please submit the reason for your vote so that we can improve the article.

Solutions by Service

Solutions by Industry

Digital Workspaces View All Products