SSL VPN IP Pool Exhaustion Issue on SonicWall GEN6 Firewalls

04/18/2024 821 People found this article helpful 233,073 Views

Description

Depletion of the SSL VPN IP pool, leading to connectivity issues for SSL VPN users. Even if the IP pool is configured with a sufficient number of addresses, customers may encounter problems when only a few users are connected. This article explains the symptoms, causes and fix for this issue.

On the SSLVPN > Status page, there are indications of unauthenticated users showing up with a login pending message with 0 minutes of login time.

NOTE: The users display N/A for the Inactivity Time and 0 mins for the Login Time. So they are not the actual authenticated users.

Resolution

SonicWall engineering team has successfully identified and addressed the SSL VPN IP pool exhaustion issue. A hotfix labeled "GEN6-2333" has been released to resolve this problem.

Please create a web ticket for the Issue How to submit a support case online at MySonicWall.com | SonicWall with the following details:

A screenshot of the UI (showing the login pending).
Include the details of the SSL VPN IP pool exhaustion issue and mention the hotfix "GEN6-2333" in your support ticket request.
SonicWall support will assist you further in obtaining and applying the necessary hotfix to resolve the issue.

After applying the HotFix firmware, follow the below steps to secure the SSL VPN connections further:

Enable Stealth Mode:
Navigate to Manage | Firewall Settings | Advanced Settings
Enable the Checkbox for Stealth Mode
More about Stealth mode here
Implement User account/IP lockout :
Navigate to Manage | Appliance | Base Settings
Check the box for " Enable administrator/user lockout"
- Local administrator account lockout – off means blocking the attempting IP instead of the account
- Failed Login attempts – Set according to your situation, 10/min or so
- Lockout period – The maximum value is 60min (should be larger)
Geo-IP can be implemented to allow only countries where your legitimate users are located. Other countries can be blocked. You can do this firewall rule based by enabling Geo-IP.
- Navigate to Manage | Rules | Access Rules : WAN to WAN, Source: Any, Destination: WAN interface IP or WAN IP, Services: SSLVPN services rule. Edit this rule > Enable Geo-IP. Put a custom selection to allow, block countries, and save it.
-This will apply Geo-IP only on the SSLVPN rule and not on other rules.

If you wish to enable on all rules, then select "All connections" in Geo-IP settings in Security services.
KB article is Using Geo-IP filtering to block connections coming to or from a geographic location
Enable Login uniqueness
Navigate to Manage | Users | Settings > Authentication
Enable the check box for Login uniqueness
Change SSL VPN default port

In SSLVPN server settings, secure the SSLVPN authentication more by changing the SSLVPN port to something different than the default SSLVPN port which is 4433. Along with the port, please consider changing the User Domain name. This is just a passphrase so you can keep something tough.

Users must have the correct port and domain name for authentication.
Utilize the Botnet filter to block the unknown connections.
- Enable the Botnet filter under Settings with Custom list and Logging enabled
- Custom List requires manual work where you can copy the IPs of unknown SSLVPN connections/auth attempts and create objects in the WAN zone.
- Then group them and create a Botnet custom list.
Also as additional precaution, if you are not using virtual office then please navigate to Manage | SSL VPN -> Portal settings and Enable the check box for "Disable Virtual office on Non-LAN interfaces"
Also we would recommend to disable SSH management on all the interfaces of the firewall if it is not being utilized or extensively used.