Troubleshooting SSL VPN-Plus for VMware NSX for vSphere 6.x
search cancel

Troubleshooting SSL VPN-Plus for VMware NSX for vSphere 6.x

book

Article ID: 321413

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article provides information on troubleshooting SSL VPN-Plus issues in NSX for vSphere 6.x.

For more information, see the SSL VPN-Plus section in the NSX Administration Guide.

Symptoms:

  • SSL VPN-Plus authentication fails
  • Installing the SSL VPN-Plus Client fails
  • You see one of these errors:
    • Windows network property windows is open !! To proceed with installation please close windows network property
    • Driver installation failed for reason E000024B: please try rebooting the machine
    • The installation failed. The installer encountered an error that cause the installation to fail. Contact the software manufacturer for assistance.

Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.4.x

Resolution

Validate that each troubleshooting step is true for your environment. Each step provides instructions or a link to a document to eliminate possible causes and take corrective actions as necessary. The steps are ordered in the most appropriate sequence to isolate the issue and identify the proper resolution. Do not skip a step.
 
Notes:
  • Check the release notes for current releases to see if the problem is resolved in a bug fix. For more information, see the VMware NSX for vSphere Documentation.
  • The SSL VPN gateway requires port 443 to be accessible from external networks and the SSL VPN Client requires the NSX Edge gateway IP and port 443 to be reachable from Client system.

SSL VPN-Plus Client Installation issues:

  • Ensure that your Client operating system(s) are supported.

    For more information, see the SSL VPN-Plus section of the NSX Administration Guide.
     
    • Windows 8.1 - Auto downloaded installer is blocked by default. Save the installer, unblock it and then execute it.
    • SSL VPN Client - Install it on the end users machine. Installation requires administration rights.
    • SSL VPN portal - Must be able to access from any browser with cookies and java script enabled.
    • From NSX 6.4.0,  SSL VPN-Plus Client on Windows Guest OS with Secure Boot turned ON is supported.

Authentication issues:

  • Ensure that the external authentication server is reachable from the NSX Edge
  • Check the external authentication server configuration using tools such as the LDAP browser and see if the configuration works
  • Ensure that the local auth server is set to lowest priority if configured in authentication process
  • If using Active Directory (AD), set it to no-ssl mode and take packet capture on relevant interface
  • If authentication is successful, in the syslog server, you see a message similar to:

    Log Output - SVP_LOG_NOTICE, 10-28-2013,09:28:39,Authentication,a,-,-,10.112.243.61,-,PHAT,,SUCCESS,,,10-28-2013,09:28:39,-,-,,,,,,,,,,-,,-,
  • If authentication fails, in the syslog server, you see a message similar to:

    Log Output - SVP_LOG_NOTICE, 10-28-2013,09:28:39,Authentication,a,-,-
    10.112.243.61,-,PHAT,,FAILURE,,, 10-28-2013,09:28:39,-,-,,,,,,,,,,-,,-,-


    Notes:
    • The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
    • Data path traffic is also logged with similar messages displaying on the syslog server.
    • In case you log in using the Web access mode, the log message shows WAT instead of PHAT.

Communication issues:

  • Verify if the SSL VPN process is running:
     
    1. Log in the Edge appliance from the CLI. For more information, see the NSX Command Line Interface Reference.
    2. Run the show process monitor command and locate the sslvpn process.
    3. Run the show service network-connections command and see if the sslvpn process is listed on port 443.
  • SSL VPN Portal/SSL VPN-Plus Client displays Maximum users reached

    To resolve this issue, increase the concurrent users (CCU) further by converting the NSX Edge form factor from lower to higher (convert from compact to large).

    Note: Connected users get disconnected from VPN when this operation occurs.
     
  • Back end applications are not accessible.

    To resolve this issue:
     
    1. Log in to the Edge Command Line Interface (CLI) and take a packet capture on na0 interface by running this command:

      debug packet capture interface na0

      Note: packet capture continues to run in the background until you stop the capture by running this command:

      no debug packet capture interface na0
       
    2. Log in to the Client and take packet capture on tap0 interface or virtual adapter by running this command:

      tcpdump -i tap0 -s 1500 -w filepath
       
    3. Analyze these captures to check if Address Resolution Protocol (ARP) is getting resolved and data traffic flows.
  • SSL VPN portal page is not rendering properly

    If language is not set to English, set the language to English and see if issue persists.

    Check if AES cipher is selected on SSL VPN server. Some browsers like IE8 does not support AES encryption.

SSL VPN-Plus Logs

 
SSL VPN-Plus gateway logs are sent to the syslog server configured on the NSX Edge appliance. The svp_client.log file is stored at:

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\VMware\VPN\

Note: If your problem still exists after trying the steps in this article, see:

  • Gather the VMware Support Script Data.
  • File a support request with VMware Support and note this KB Article ID ( 2126671) in the problem description.

Enhanced Operational Manageability in NSX for vSphere 6.4.0

Starting with NSX for vSphere 6.4.0, the SSL VPN-Plus Client on Windows Guest OS with Secure Boot turned ON is now supported.

Enhanced Operational Manageability in NSX for vSphere 6.2.4

Prior to NSX 6.2.4, SSLVPN logging is disabled by default.

To enable the logging:
  1. Navigate to SSL VPN-Plus > Server Settings > Logging Policy.
  2. Click Change.
  3. Select Enable logging.
  4. Select the required log level.

Customers are asked to enable this logging when issue has already occurred. There are issues that are not reproducible hence enabling logging after the issue occurred is no longer useful in troubleshooting.

Starting with NSX for vSphere 6.2.4, the SSLVPN logging has now been enabled by default and it has been set to NOTICE. This ensures that issues are logged from the beginning when SSLVPN issues are encountered which drastically improves troubleshooting.

 

Additional Information

Useful troubleshooting commands for communication issues:

  • To check status of SSL VPN, run this command:

    show service sslvpn-plus
     
  • To check various stats for SSL VPN, run this command:

    show service sslvpn-plus stats
     
  • To check VPN Clients that are connected, run this command:

    show service sslvpn-plus tunnels
     
  • To check sessions, run this command:

    show service sslvpn-plus sessions