Support Center > Search Results > SecureKnowledge Details
Traffic initiated from internal host towards SSL VPN client is dropped with "Unauthorized SSL VPN traffic" log
Symptoms
  • In Mobile Access policy, a native application with direction "Server to Client" is configured, however traffic initiated from the internal host towards the Office Mode IP of an SSL VPN client (SNX) fails.

  • The internal host is in the encryption domain of a peer gateway - reachable from the Mobile Access gateway over site to site VPN.
    Topology: internal host==>GW==(site to site VPN)==>MAB GW==(SSL VPN)==>SNX client.

  • SmartView Tracker shows that VPN Security Gateway drops the traffic from SSL VPN client on an implied rule:
    Unauthorized SSL VPN traffic

  • Kernel debug ('fw ctl debug -m fw + conn vm') just shows that the traffic was dropped
    (Note: 'rule N' does not exist in the rulebase, i.e., it is an implied rule):
    ;fw_handle_first_packet: Rulebase returned DROP;
    ;fw_log_drop: Packet proto=Protocol_Number Source_IP:Source_Port -> Dest_IP:Dest_Port  dropped by fw_handle_first_packet Reason: Rulebase drop - rule N;
    ;fw_filter_chain: handle_first_packet returned action DROP for new conn;
    ;fw_filter_chain: Final switch, action=DROP;
    ;After VM: < Source_IP:Source_Port -> Dest_IP:Dest_Port  IPP Protocol_Number >
    ;VM Final action=DROP;
    
  • In the same scenario, but where the client is an IPSec client, the connection works fine.
Cause

"Unauthorized SSL VPN traffic" is an implied "cleanup" rule of the Mobile Access policy. If traffic is to/from SSL VPN client, but does not match any rule in the MAB policy, the traffic will be dropped on this rule.

In the specific scenario described, the rule is not matched because a "Server to Client" application rule is limited to hosts behind the MAB gateway, but the host is in a remote encryption domain.

 

Important Note: Make sure that the specific scenario applies. In most cases "Unauthorized SSL VPN traffic" log is due to misconfiguration (no relevant rule for the traffic in MAB policy).

Therefore, before requesting a hotfix, please make sure that the following applies:

1. Native Application created with the relevant Host/Destination IP address as the Authorized Location.

2. It is used in an appropriate rule at the Mobile Access Policy for the relevant users. Make sure the users are matched for the user groups in the rule.

3. If protection level is used, make sure users are able to pass its check.

4. Check that the user is allowed to access the resource in it's Allowed Location properties. (User Properties -> Location)

5. Resource must be part of the Gateway's encryption domain/topology in order for traffic to work. 


Solution
Note: To view this solution you need to Sign In .