IBM Cloud Docs
Why am I able to log in to the SSL VPN, but not able to access any devices?

Why am I able to log in to the SSL VPN, but not able to access any devices?

SSL VPN is showing connected but no access is present to device.

SSL VPN shows connected, however, you cannot ping, rdp, ssh, KVM console or telenet to an internal device IP that belongs to your IBM Cloud infrastructure device.

Possible causes include, but are not limited, to the following:

  1. The SSL VPN subnet is incorrectly selected.
  2. The user doesn't have proper permissions to a specific device or subnet.
  3. More than 64 subnets exist on the account and the user's SSL subnet is set to 'auto'.
  4. User might be connected to another VPN causing some local routing issue.
  5. Software was not run by an "administrator" level user and routes were not implemented to the system's routing table.
  6. Outbound connections are allowing the connection.
  7. Older versions of SSL VPN software are known to cause routing problems on both Windows and Mac.

To resolve this issue, follow these steps:

  1. Ensure that you are disconnected from all other VPNs before connecting to the SSL VPN.

  2. Attempt to ping 10.0.80.11 while logged into the SSL VPN. If the ping is successful, this means that you have access to the internal network, but most likely do not have permission to access your devices.

  3. Ensure that your user is given the correct and necessary permissions through the IBM Cloud console to access the device/subnet that you are attempting to access. To do this, an account admin must follow these steps:

    • Log in to your IBM Cloud account.

    • Select Manage > Access (IAM), then click Users.

    • Click the user name, then click the Classic infrastructure tab.

    • From the Devices and VPN subnets views, you can provide the user with VPN access to all the needed devices or subnets.

      If you have more than 64 subnets on an account, you will not be able to access your device/subnet. When you have your SSL VPN subnet assignment assigned to Automatic, it only provides you access with the first 64 subnets on the account; the other subnets aren't included. To fix this issue, you can set your SSL VPN subnet assignment to Manual and manually select the devices/subnets where your user need access.

      To check the number of subnets on your account, go to the Subnets page, then locate the number before the word “Items” at the end of the page. This is the number of subnets that you have on the account.

  4. If you were not able to ping the DNS server, log out of the VPN and toggle your SSL VPN access from on to off, then off to on. For more information click Activating or deactivating SSL VPN access for a user.

  5. If you have exhausted all the above steps and are still running into the issue, create an IBM Support case.