Skip to content

Troubleshooting remote access SSL VPN


Traffic doesn't flow through remote access SSL VPN connections after migrating to version 19.0


In version 19.0 and later, on SSL VPN global settings, for Assign IPv4 addresses, you enter a network IP address and subnet rather than an IP range.

Here's an example:

Subnet to assign IP addresses to remote access SSL VPN users

The firewall leases IP addresses to remote access SSL VPN users from the network you configure.

When you migrate to 19.0 and later, the firewall converts the IP range and subnet mask configured in 18.5.x and earlier versions to the subnet value.

However, if you've added a custom IP host for the lease range to the corresponding firewall rules, the host's lease range may not match the migrated subnet. So, traffic may not flow through the remote access SSL VPN connections after you migrate.


For the source and destination networks in the corresponding firewall rules, select the system hosts ##ALL_SSLVPN_RW and ##ALL_SSLVPN_RW6. See Configure remote access SSL VPN with Sophos Connect client.

The firewall automatically applies the conversion from IP range to network for these system hosts because it dynamically adds the leased IP addresses to these system hosts when remote users establish connections.


Why can't I add subnets smaller than /24 in SSL VPN global settings?

The firewall runs SSL VPN tunnels in multiple instances, depending on the number of CPUs in the model. Each instance creates a tun0 interface, which requires an independent subnet for routing and internal traffic distribution.

The firewall automatically slices subnets from the configured network address and subnet and assigns them to the tun0 interfaces. Smaller subnets, such as /25 and smaller, result in fewer IP addresses for lease.

For example, a network in a firewall with eight concurrent instances has a single leasable IP address after assigning the subnets to the eight tun0 interfaces.