SSL VPN IP Pool Exhaustion Issue on SonicWall GEN6 Firewalls
Description
Depletion of the SSL VPN IP pool, leading to connectivity issues for SSL VPN users. Even if the IP pool is configured with a sufficient number of addresses, customers may encounter problems when only a few users are connected. This article explains the symptoms, causes and fix for this issue.
On the SSLVPN > Status page, there are indications of unauthenticated users showing up with a login pending message with 0 minutes of login time.
NOTE: The users display N/A for the Inactivity Time and 0 mins for the Login Time. So they are not the actual authenticated users.
Resolution
SonicWall engineering team has successfully identified and addressed the SSL VPN IP pool exhaustion issue. A hotfix labeled "GEN6-2333" has been released to resolve this problem.
Please create a web ticket for the Issue How to submit a support case online at MySonicWall.com | SonicWall with the following details:
- A screenshot of the UI (showing the login pending).
- Include the details of the SSL VPN IP pool exhaustion issue and mention the hotfix "GEN6-2333" in your support ticket request.
- SonicWall support will assist you further in obtaining and applying the necessary hotfix to resolve the issue.
After applying the HotFix firmware, follow the below steps to secure the SSL VPN connections further:
-
Enable Stealth Mode:
Navigate to Manage | Firewall Settings | Advanced Settings
Enable the Checkbox for Stealth Mode
More about Stealth mode here
-
Implement User account/IP lockout :
Navigate to Manage | Appliance | Base Settings
Check the box for "
- Local administrator account lockout – off means blocking the attempting IP instead of the account
- Failed Login attempts – Set according to your situation, 10/min or so
- Lockout period – The maximum value is 60min (should be larger)
- Geo-IP can be implemented to allow only countries where your legitimate users are located. Other countries can be blocked. You can do this firewall rule based by enabling Geo-IP.
- Navigate to Manage | Rules | Access Rules : WAN to WAN, Source: Any, Destination: WAN interface IP or WAN IP, Services: SSLVPN services rule. Edit this rule > Enable Geo-IP. Put a custom selection to allow, block countries, and save it.
-This will apply Geo-IP only on the SSLVPN rule and not on other rules.
If you wish to enable on all rules, then select "All connections" in Geo-IP settings in Security services.
KB article is Using Geo-IP filtering to block connections coming to or from a geographic location -
Enable Login uniqueness
Navigate to Manage | Users | Settings > Authentication
Enable the check box for Login uniqueness
-
Change SSL VPN default port
In SSLVPN server settings, secure the SSLVPN authentication more by changing the SSLVPN port to something different than the default SSLVPN port which is 4433. Along with the port, please consider changing the User Domain name. This is just a passphrase so you can keep something tough.
Users must have the correct port and domain name for authentication. - Utilize the Botnet filter to block the unknown connections.
- Enable the Botnet filter under Settings with Custom list and Logging enabled
- Custom List requires manual work where you can copy the IPs of unknown SSLVPN connections/auth attempts and create objects in the WAN zone.
- Then group them and create a Botnet custom list.
- Also as additional precaution, if you are not using virtual office then please navigate to Manage | SSL VPN -> Portal settings and Enable the check box for "Disable Virtual office on Non-LAN interfaces"
- Also we would recommend to disable SSH management on all the interfaces of the firewall if it is not being utilized or extensively used.
If the issue persists after hotfix upgrade and the steps mentioned above, please contact support.