No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Can't access intranet after login SSLVPN

Publication Date:  2018-01-31 Views:  61 Downloads:  0
Issue Description

We followed the product document and configured SSLVPN, but can't access intranet after login SSLVPN via SecoClient.

Handling Process

It is no problem but the mechanism is changed after version V500R001C30SPC300. When we enable Network Extension, firewall will check the reverse-route when it send SSLVPN  packets. We changed the reverse-route mechanism after V500R001C30SPC300. Firewall define the source zone as the public ip address of SSLVPN Client PC, but don’t define as the SSLVPN Client’s iprivate ip address.
Checked the firewall  configuration, it has two same-cost default route, when firewall check the reverse-route of the public ip address, it may come from the two different outbound interface. And the outbound interface have two different zone (Untrust1 or untrust). So you must configure the source zone both Untrust1 and untrust.

ip route-static 0.0.0.0 0.0.0.0 x.x.x.x
ip route-static 0.0.0.0 0.0.0.0 y.y.y.y

Root Cause

Firewall define the source-zone as the route of the public ip address of SSLVPN Client PC but not the private ip address.

Solution

Configured the security-policy's source zone as the two outbound interface.

system-view

 security-policy

  rule name SSLVPN

   sourcce-zone Untrust1

   source-zone untrust

   destination-zone trust

   action permit

END