You experience SSL VPN-Plus communication problems.
Client machine shows error after logging in.
Connectivity to client machine is limited.
The SSL VPN-Plus Client - Statistics screen on client machine shows virtual IP address as Not yet assigned.
No routes added to client machine.
- Verify if the SSL VPN process is running.
- Log in to the Edge appliance from the CLI. For more information, see the NSX Command Line Interface Reference.
- Run the show process monitor command, and locate the sslvpn process.
- Run the show service network-connections command, and see if the sslvpn process is listed on port 443.
- The SSL VPN Portal/SSL VPN-Plus Client displays Maximum users reached/Maximum count of logged in user reached as per SSL VPN license. Please try after some time or SSL read has failed.
- To resolve this issue, increase the concurrent users (CCU) further by increasing the NSX Edge form factor. For more information, see the NSX Administration Guide. Note that the connected users get disconnected from VPN when you perform this operation.
- Back end applications are not accessible.
- The back end (Private Network) and IP Pool should not be in same subnet.
- IP pool is not defined by the administrator or IP pool gets exhausted.
Log in to the vSphere Web Client.
Click Networking & Security, and then click NSX Edges.
Double-click an NSX Edge, and then click SSL VPN-Plus tab.
Add an static IP pool as explained in Add an IP Pool topic in the NSX Administration Guide. Make sure you add the IP address in the Gateway field. The gateway IP address is assigned to na0 interface. All non-TCP traffic flows through virtual adapter named as na0 interface. You can create multiple IP pools with different gateway IP addresses assigned to same na0 interface.
Use the ifconfig command to verify the provided IP address and see if all IP pools are assigned to the same na0 interface.
Log in to the client machine, go to theSSL VPN-Plus Client - Statistics screen and verify the assigned virtual IP address.
- Log in to the Edge Command Line Interface (CLI), and take a packet capture on na0 interface by running the debug packet capture interface na0 command.
Packet capture continues to run in the background until you stop the capture by running the no debug packet capture interface na0 command.
- If TCP Optimization is not enabled, verify firewall rules.
- For non-TCP traffic, make sure back end network has default gateway set as internal interface of the edge.
- For Linux client, log in to the Linux system on which SSL VPN client is installed and take packet capture on tap0 interface or virtual adapter by running the tcpdump -i tap0 -s 1500 -w filepath command.
- SSL VPN portal page is not rendering properly.
- If language is not set to English, set the language to English and see if issue persists.
- Check if AES cipher is selected on SSL VPN server. Some browsers like Internet Explorer 8 do not support AES encryption.
- If the above steps do not resolve the issue, use the following commands to troubleshoot further.
To check status of SSL VPN, run the show service sslvpn-plus command.
To check statistics for SSL VPN, run the show service sslvpn-plus stats command.
To check VPN clients that are connected, run the show service sslvpn-plus tunnels command.
To check sessions, run the show service sslvpn-plus sessions command.