Problem with the SSL VPN server

[Peter]

Hello.

We have received several customer reports today who report that the SSL-VPN (OneConnect) is not working. The symptom is that customers are unable to connect with the VPN client nor reach the SSL-VPN portal (to download the client / configuration file). The Firewall drops the traffic due to "Default_Rule", meaning that the "SSL VPN Before Rule" does not trigger correctly. In the CLI we can see that the listening connection for the SSL VPN server is gone.

The listening connection should look something like this:

VSG-24:/> connections -show -srciface=core -destport=443 -verbose
State    Proto   Source                      Destination                 Tmout
-------- ------- --------------------------- --------------------------- ------
TCP_NEW  TCP     core:0.0.0.0:0              core:192.168.98.25:443          42
        ...term: none

A workaround to the problem is to use another port for the SSL VPN server other than 443.

An engineering case has been created about the problem (COP-22232) and it is currently being investigated. I will update this thread when there is an update or when we have found the problem.

Best regards
/Peter

[Peter]

Update: It has been confirmed that this workaround did not solve the problem. Initially it seemed to to work but....

Original post:
A second workaround to the problem has been discovered.

1. Disable the checkbox for "SSL VPN Before Rules" (Network->SSL->Advanced Settings).
2. Create a normal IP policy rule to allow SSL VPN traffic to the Firewall, it should look something like this:

Allow Wan all-nets Core IP_wan service=Port_443

The workaround is to enable "SYN flood protection (SYN Relay)" on the (Port_443) service. Once the problem has been fixed, this workaround can be reverted.

Best regards
/Peter

[ra@srt-systems.fr]

Hi Peter,

I tried yesterday the same workaround and no success unfortunately.

The SSL IP server is published on interface WAN and I put the following policy.

Allow Wan all-nets Wan IP_wan_SSL_VPN service=Port_443

The rule is triggered but the VPN SSL still not working.

Thx.
/Rachid (SRT)

[Peter]

Thank you for the update. We have received feedback from other customers as well saying that the SYN relay workaround, while initially seemed to work, does not solve the problem. I have updated my previous post.

The best workarounds so far is to either:

1. Change port to something other than 443.
2. Remove the "SSL VPN Before Rules" rule and create a IP policy rule that only allows SSL to connect from specific IP's or network.

A little more details about the problem / official statement:

Introduction

A resource exhaustion issue is causing an unauthenticated denial of service that prevents users from connecting to the SSL VPN server or accessing the web page of the SSL VPN interface on the firewall.

Affected Versions

The following products are affected by this vulnerability:

• All versions of Clavister NetWall.

Security Patches

• A patch is being prepared and will be made available as soon as the proper tests are done.

Best regards
/Peter

[Peter]

Hello.

Update: A TP version (Technical preview / beta) with a preliminary fix for the problem is now available for customers interested in testing.

Important: Please note that a TP version contains fairly untested changes, only minor tests and verifications has been done so there may be unexpected behavior by using it until it has gone through proper QA testing and verification.

If you are interested in gaining access to the TP version, please register a ticket using the Clavister support system:

https://my.clavister.com/help-desk/regi ... rt-ticket/

Best regards
/Peter

[Peter]

Hello.

A new version is now released that contains a fix for the SSL VPN problem. The new version is 12.00.21 and is available for download on www.clavister.com (requires login).

Best regards
/Peter