Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 6693 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG85 rev3 SSL VPN userportal cant download client

Patrick Pulito

Hello,

I just installed a new XG85 rev.3 Security Appliance. I wanted to activate SSL Remote Access and used this howto manual for configuring SSL Remote Access:

https://community.sophos.com/kb/en-us/122769

Now at the last step I logged in on the user portal for downloading the SSL VPN Client and configuration windows . When I am clicking on the windows client and configuration normaly it should download the SSL VPN Client but nothing happens. I see after clicking for the client download that the browser tries to communicate with the sophos XG IP but after 3 seconds nothing happens.

When I navigate to "Client download" above and selecting one download package it downloads it normaly but not on the ssl vpn client section.

I tried 3 different browsers and its always the same.

The installed Firmware is: SFOS 17.0.4 MR-4

I saw there is a new Firmware MR-8.SF110 should I install this version manually and hope that it will works after that?



This thread was automatically locked due to age.
Parents
  • 0

    I have seen a similar issue before. Most likely you have a Blank Default CA. Try this :

     

    Go to Certificates -> Certificate Authorities -> Click on Default

     

    Make sure the Default CA has been created. If the information there is blank, fill in the details and save the changes. This is a Self CA, so you can just use your organization name, email address etc.

    Then login to SSL Portal and try to download the Client + Config again.

     

    PS: In Authentication -> Client Downloads, you will not be able to download the SSL VPN client, those are other clients related to internal authentication like SSO, Network Authentication Client etc.

  • 0 in reply to Anish Deval

    cool thank you that was the problem. Now I can download and install the SSL VPN Client.


    When I try connect via the ssl vpn client I got this error message and I cant establish a VPN connection to the Sophos:

     

     MANAGEMENT: >STATE:1527159093,TCP_CONNECT,,,,,,
    Thu May 24 12:51:34 2018 TCP connection established with [AF_INET]192.xxxx:8443
    Thu May 24 12:51:34 2018 TCPv4_CLIENT link local: [undef]
    Thu May 24 12:51:34 2018 TCPv4_CLIENT link remote: [AF_INET]192.xxxx:8443
    Thu May 24 12:51:34 2018 MANAGEMENT: >STATE:1527159094,WAIT,,,,,,
    Thu May 24 12:51:34 2018 MANAGEMENT: >STATE:1527159094,AUTH,,,,,,
    Thu May 24 12:51:34 2018 TLS: Initial packet from [AF_INET]192.xxxx:8443, sid=cf33b9d2 0444e901
    Thu May 24 12:51:34 2018 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CH, ST=xxxx, L=xxxx, O=xxx, OU=xxx, CN=xxxx, emailAddress=xxxx
    Thu May 24 12:51:34 2018 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Thu May 24 12:51:34 2018 TLS Error: TLS object -> incoming plaintext read error
    Thu May 24 12:51:34 2018 TLS Error: TLS handshake failed
    Thu May 24 12:51:34 2018 Fatal TLS error (check_tls_errors_co), restarting
    Thu May 24 12:51:34 2018 SIGUSR1[soft,tls-error] received, process restarting
    Thu May 24 12:51:34 2018 MANAGEMENT: >STATE:1527159094,RECONNECTING,tls-error,,,,,
    Thu May 24 12:51:34 2018 Restart pause, 5 second(s)

     

    Looks like theres a problem with the new certificate. I edited the entrys with "xxx" in this post. I filled all lines correctly in the certificate.

    Do you know whats the problem now with the certificate?

Reply
  • 0 in reply to Anish Deval

    cool thank you that was the problem. Now I can download and install the SSL VPN Client.


    When I try connect via the ssl vpn client I got this error message and I cant establish a VPN connection to the Sophos:

     

     MANAGEMENT: >STATE:1527159093,TCP_CONNECT,,,,,,
    Thu May 24 12:51:34 2018 TCP connection established with [AF_INET]192.xxxx:8443
    Thu May 24 12:51:34 2018 TCPv4_CLIENT link local: [undef]
    Thu May 24 12:51:34 2018 TCPv4_CLIENT link remote: [AF_INET]192.xxxx:8443
    Thu May 24 12:51:34 2018 MANAGEMENT: >STATE:1527159094,WAIT,,,,,,
    Thu May 24 12:51:34 2018 MANAGEMENT: >STATE:1527159094,AUTH,,,,,,
    Thu May 24 12:51:34 2018 TLS: Initial packet from [AF_INET]192.xxxx:8443, sid=cf33b9d2 0444e901
    Thu May 24 12:51:34 2018 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CH, ST=xxxx, L=xxxx, O=xxx, OU=xxx, CN=xxxx, emailAddress=xxxx
    Thu May 24 12:51:34 2018 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Thu May 24 12:51:34 2018 TLS Error: TLS object -> incoming plaintext read error
    Thu May 24 12:51:34 2018 TLS Error: TLS handshake failed
    Thu May 24 12:51:34 2018 Fatal TLS error (check_tls_errors_co), restarting
    Thu May 24 12:51:34 2018 SIGUSR1[soft,tls-error] received, process restarting
    Thu May 24 12:51:34 2018 MANAGEMENT: >STATE:1527159094,RECONNECTING,tls-error,,,,,
    Thu May 24 12:51:34 2018 Restart pause, 5 second(s)

     

    Looks like theres a problem with the new certificate. I edited the entrys with "xxx" in this post. I filled all lines correctly in the certificate.

    Do you know whats the problem now with the certificate?

Children
  • 0 in reply to Patrick Pulito

    Patrick Pulito said:

    Thu May 24 12:51:34 2018 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CH, ST=xxxx, L=xxxx, O=xxx, OU=xxx, CN=xxxx, emailAddress=xxxx 

     

    That is the problem - certificate is not valid yet. Regenerate the Default CA and put in yesterdays date if possible. Then re-download the configuration and reconnect.

    If selecting yesterdays date is not possible, this will start working from tomorrow. Its something to do with device time, time-zone (maybe try setting tomorrows date on system time). Honestly, I am not sure why this happens, maybe someone else can shed some light regarding this behaviour.