This topic discusses several SSL VPN-Plus issues and how to resolve them.

Procedure

  1. SSL VPN-Plus Client Installation issues: Ensure that the operating system of SSL VPN client is supported. For more information, see the SSL VPN-Plus section of the NSX Administration Guide.
    1. For Windows 8.1 - Auto downloaded installer is blocked by default. Save the installer, unblock the installer, and then execute.
    2. For SSL VPN Client - Install SSL VPN client on the end users machine. Installation requires administration rights.
    3. For SSL VPN Portal - You should be able to access from any browser with cookies and java script enabled.
  2. Authentication issues: Verify the following settings:
    1. Ensure that the external authentication server is reachable from the NSX Edge. From the NSX Edge, ping the authentication server and verify if the server is reachable.
    2. Check the external authentication server configuration using tools such as the LDAP browser and see if the configuration works. Only LDAP and AD authentication servers can be checked using the LDAP browser.
    3. Ensure that the local authentication server is set to lowest priority if configured in authentication process.
    4. If using Active Directory (AD), set it to no-ssl mode and take packet capture on the interface from which AD Server is reachable.
    5. If authentication is successful in the syslog server, you see a message similar to: Log Output - SVP_LOG_NOTICE, 10-28-2013,09:28:39,Authentication,a,-,-,10.112.243.61,-,PHAT,,SUCCESS,,,10-28-2013,09:28:39,-,-,,,,,,,,,,-,,-,
    6. If authentication fails, in the syslog server, you see a message similar to: Log Output - SVP_LOG_NOTICE, 10-28-2013,09:28:39,Authentication,a,-,-,10.112.243.61,-,PHAT,,FAILURE,,,10-28-2013,09:28:39,-,-,,,,,,,,,,-,,-,
  3. Communication issues:
    • Verify if the SSL VPN process is running:

    1. Log in to the Edge appliance from the CLI. For more information, see the NSX Command Line Interface Reference.
    2. Run the show process monitor command, and locate the sslvpn process.
    3. Run the show service network-connections command, and see if the sslvpn process is listed on port 443.
    • The SSL VPN Portal/SSL VPN-Plus Client displays Maximum users reached/Maximum count of logged in user reached as per SSL VPN license. Please try after some time or SSL read has failed.

    1. To resolve this issue, increase the concurrent users (CCU) further by converting the NSX Edge form factor from lower to higher (change from compact to large). For more information, see the NSX Administration Guide. Note that the connected users get disconnected from VPN when you perform this operation.
    • Back end applications are not accessible.

    1. The back end (Private Network) and IP Pool should not be in same subnet.
    2. Log in to the Edge Command Line Interface (CLI), and take a packet capture on na0 interface by running the debug packet capture interface na0 command.
      Note:

      Packet capture continues to run in the background until you stop the capture by running the no debug packet capture interface na0 command.

    3. If TCP Optimization is not enabled, verify firewall rules.
    4. For non-TCP traffic, make sure back end network has default gateway set as internal interface of the edge.
    5. For Linux client, log in to the Linux system on which SSL VPN client is installed and take packet capture on tap0 interface or virtual adapter by running the tcpdump -i tap0 -s 1500 -w filepath command.
    • SSL VPN portal page is not rendering properly.

    1. If language is not set to English, set the language to English and see if issue persists.
    2. Check if AES cipher is selected on SSL VPN server. Some browsers like Internet Explorer 8 does not support AES encryption.
    • Useful troubleshooting commands for communication issues:

      • To check status of SSL VPN, run the show service sslvpn-plus command.

      • To check statistics for SSL VPN, run the show service sslvpn-plus stats command.

      • To check VPN clients that are connected, run the show service sslvpn-plus tunnels command.

      • To check sessions, run the show service sslvpn-plus sessions command.