SSL VPN-Plus: Communication Issues

Use this topic to understand probable SSL VPN connectivity and data path issues and how you can resolve them.

Problem

Common problems associated with SSL VPN connectivity and data path are as follows:

SSL VPN-Plus client is unable to connect to the SSL VPN server.
SSL VPN-Plus client is installed, but the SSL VPN-Plus services are not running.
Maximum count of logged-in users is reached. The SSL VPN web portal or the SSL VPN-Plus client displays the following message:
Maximum users reached/Maximum count of logged in user reached as per SSL VPN license. Please try after some time or SSL read has failed.
SSL VPN services are running, but the data path is not working.
SSL VPN connection is established, but applications in the private network are not accessible.

Solution

If the SSL VPN-Plus client is unable to connect to the SSL VPN server, do the following:
- Make sure that the SSL VPN user is logging in with the correct user name and password.
- Check whether the SSL VPN user is valid.
- Verify whether the SSL VPN user can reach the SSL VPN server by using the web portal.
On the NSX Edge, do the following steps to verify whether the SSL VPN process is running.
1. Log in to the NSX Edge from the CLI. For more information about logging in to the Edge CLI, see the NSX Command Line Interface Reference.
2. Run the show process monitor command, and locate the sslvpn process.
3. Run the show service network-connections command, and check if the sslvpn process is listed on port 443.
  
  Note: By default, your system uses port 443 for SSL traffic. However, if you have configured a different TCP port for SSL traffic, make sure that the sslvpn process is listed on that TCP port number.

On the SSL VPN-Plus client, verify whether the SSL VPN-Plus services are running.

Operating System Description

Windows Open the Task Manager, and check whether the SSL VPN-Plus Client service is started.

Mac

Operating System	Description
Windows	Open the Task Manager, and check whether the SSL VPN-Plus Client service is started.
Mac	Make sure that the `naclientd` process is started for the daemon. Make sure that the `naclient` process is started for the GUI. To check whether the processes are running, run the ps -ef \| grep "naclient" command.
Linux	Make sure that the `naclientd` and `naclient_poll` processes are started. To check whether the processes are running, run the ps -ef \| grep "naclient" command.

Make sure that the naclientd process is started for the daemon.
Make sure that the naclient process is started for the GUI.

To check whether the processes are running, run the ps -ef | grep "naclient" command.

Linux

Make sure that the naclientd and naclient_poll processes are started.
To check whether the processes are running, run the ps -ef | grep "naclient" command.

If the services are not running, run the following commands to start the services.

Operating System	Command
Mac	Run the sudo launchctl load -w /Library/LaunchDaemons/com.vmware.naclientd.plist command.
Linux	Run the sudo service naclient start command.

If the maximum count of logged-in SSL VPN users is reached, increase the number of concurrent users (CCU) by increasing the NSX Edge form factor.
For more information, see the NSX Administration Guide. Note that the connected users get disconnected from VPN when you perform this operation.
If the SSL VPN services are running, but the data path is not working, do the following steps:
1. Check whether a virtual IP is assigned after a successful connection.
2. Verify whether the routes are added.
When applications in the private (back-end) network are not accessible, do the following steps to resolve the issue:
1. Make sure that the private network and IP pool are not in the same subnet.
2. If the administrator has not defined an IP pool, or if the IP pool is exhausted, do these steps.
  1. Log in to the vSphere Web Client.
  2. Click Networking & Security, and then click NSX Edges.
  3. Double-click an NSX Edge, and then click the SSL VPN-Plus tab.
  4. Add a static IP pool as explained in Add an IP Pool topic in the NSX Administration Guide. Make sure that you add the IP address in the Gateway text box. The gateway IP address is assigned to na0 interface. All non-TCP traffic flows through the virtual adapter named as na0 interface. You can create multiple IP pools with different gateway IP addresses, but assigned to the same na0 interface.
  5. Use the show interface na0 command to verify the provided IP addresses, and check whether all the IP pools are assigned to the same na0 interface.
  6. Log in to the client machine, go to the SSL VPN-Plus Client - Statistics screen and verify the assigned virtual IP address.
3. Log in to the NSX Edge Command Line Interface (CLI), and take a packet capture on na0 interface by running the debug packet capture interface na0 command. You can also capture packets by using the Packet Capture tool. For details, see the NSX Administration Guide.
  
  Note: Packet capture continues to run in the background until you stop the capture by running the no debug packet capture interface na0 command.
4. If TCP Optimization is not enabled, verify firewall rules.
5. For non-TCP traffic, make sure that the back-end network has the default gateway set as an internal interface of the Edge.
6. For Mac and Linux clients, log in to the system on which the SSL VPN client is installed, and take packet capture on the tap0 interface or on the virtual adapter by running the tcpdump -i tap0 -s 1500 -w filepath command. On Windows clients, use a packet analyzer tool, such as Wireshark, and capture packets on the SSL VPN-Plus Client adapter.

If all the above steps do not resolve the issue, use the following NSX Edge CLI commands to troubleshoot further.

Purpose	Command
Check the SSL VPN status.	show service sslvpn-plus
Check the SSL VPN statistics.	show service sslvpn-plus stats
Check VPN clients that are connected.	show service sslvpn-plus tunnels
Check SSL VPN-Plus sessions.	show service sslvpn-plus sessions