This topic discusses several SSL VPN-Plus issues and how to resolve them.

Problem

  • SSL VPN-Plus authentication fails.

  • Installing the SSL VPN-Plus Client fails.

  • You see one of these errors:

    • Windows network property windows is open !! To proceed with installation please close windows network property.

    • Driver installation failed for reason E000024B: please try rebooting the machine.

    • The installation failed. The installer encountered an error that cause the installation to fail. Contact the software manufacturer for assistance.

The possible cause can be installation issue, authentication issue, or communication issue. Each step provides instructions or a appropriate reference to eliminate possible causes and take corrective actions as necessary. The steps are ordered in the most appropriate sequence to isolate the issue and identify the proper resolution.

Procedure

  1. SSL VPN-Plus Client Installation issues: Ensure that the operating system of SSL VPN client is supported. For more information, see the SSL VPN-Plus section of the NSX Administration Guide.
    1. For Windows 8.1 - Auto downloaded installer is blocked by default. Save the installer, unblock the installer, and then execute.
    2. For SSL VPN Client - Install SSL VPN client on the end users machine. Installation requires administration rights.
    3. For SSL VPN Portal - You should be able to access from any browser with cookies and java script enabled.
  2. Authentication issues: Verify the following settings:
    1. Ensure that the external authentication server is reachable from the NSX Edge. From the NSX Edge, ping the authentication server and verify if the server is reachable.
    2. Check the external authentication server configuration using tools such as the LDAP browser and see if the configuration works. Only LDAP and AD authentication servers can be checked using the LDAP browser.
    3. Ensure that the local authentication server is set to lowest priority if configured in authentication process.
    4. If using Active Directory (AD), set it to no-ssl mode and take packet capture on the interface from which AD Server is reachable.
    5. If authentication is successful in the syslog server, you see a message similar to: Log Output - SVP_LOG_NOTICE, 10-28-2013,09:28:39,Authentication,a,-,-,10.112.243.61,-,PHAT,,SUCCESS,,,10-28-2013,09:28:39,-,-,,,,,,,,,,-,,-,
    6. If authentication fails, in the syslog server, you see a message similar to: Log Output - SVP_LOG_NOTICE, 10-28-2013,09:28:39,Authentication,a,-,-,10.112.243.61,-,PHAT,,FAILURE,,,10-28-2013,09:28:39,-,-,,,,,,,,,,-,,-,
  3. Communication issues:
    • Verify if the SSL VPN process is running:

    1. Log in to the Edge appliance from the CLI. For more information, see the NSX Command Line Interface Reference.
    2. Run the show process monitor command, and locate the sslvpn process.
    3. Run the show service network-connections command, and see if the sslvpn process is listed on port 443.
    • The SSL VPN Portal/SSL VPN-Plus Client displays Maximum users reached/Maximum count of logged in user reached as per SSL VPN license. Please try after some time or SSL read has failed.

    1. To resolve this issue, increase the concurrent users (CCU) further by converting the NSX Edge form factor from lower to higher (change from compact to large). For more information, see the NSX Administration Guide. Note that the connected users get disconnected from VPN when you perform this operation.
    • Back end applications are not accessible.

    1. The back end (Private Network) and IP Pool should not be in same subnet.
    2. Log in to the Edge Command Line Interface (CLI), and take a packet capture on na0 interface by running the debug packet capture interface na0 command.
      Note:

      Packet capture continues to run in the background until you stop the capture by running the no debug packet capture interface na0 command.

    3. If TCP Optimization is not enabled, verify firewall rules.
    4. For non-TCP traffic, make sure back end network has default gateway set as internal interface of the edge.
    5. For Linux client, log in to the Linux system on which SSL VPN client is installed and take packet capture on tap0 interface or virtual adapter by running the tcpdump -i tap0 -s 1500 -w filepath command.
    • SSL VPN portal page is not rendering properly.

    1. If language is not set to English, set the language to English and see if issue persists.
    2. Check if AES cipher is selected on SSL VPN server. Some browsers like Internet Explorer 8 does not support AES encryption.
    • Useful troubleshooting commands for communication issues:

      • To check status of SSL VPN, run the show service sslvpn-plus command.

      • To check statistics for SSL VPN, run the show service sslvpn-plus stats command.

      • To check VPN clients that are connected, run the show service sslvpn-plus tunnels command.

      • To check sessions, run the show service sslvpn-plus sessions command.