17.5 Broke SSL VPN.

Hi Kimmo,

I had a single user report this today, nothing made sense as User portal was fine etc and in the access_server.log in the CLI in debug mode simple said Auth Failed due to username and password error. Checked in AD and there were no auth requests there (which is odd).

So i deleted the user from the XG Auth interface, re-logged them into the user portal, re-downloaded the SSL VPN config (which will have changed when you deleted and re-made the user after logging in) and they were able to connect.

I have not heard or seen this any of our other v17.5 customers on SSL VPN but your description and log line is exactly what I had today and that's how i fixed it.

Hope that helps,

Emile

Need to test that then. Lucky this were in LAB setup. Asking 100's for users to redownload profile is nothing I would like to perform after major updates

As I said, this only happened to one user out of all of them in the users running SSL VPN on the XG, I would not expect the entire userbase to be affected but if it was not mission critical I would have done more diagnostics. What I would recommend doing is actually raising a case with Sophos and getting this deep dived because that could be an issue they'd like to be aware of.

Emile

Seems AD integration is more or less broken.

Cannot remove problematic user as I get error "User could not be deleted. A firewall rule, VPN connection or web policy rule exists for this user."

Ok so i removed user from ACL_VPN_Access security group that is being used to give access to VPN and also used in FW rule. Same error.

Moved user to different OU than one being synced to XG and used purge AD users option on XG. User still remains in the system and cannot be removed.

Hi Kimmo,

AD Integration is not broken, you have assigned the user manually to either a FW rule, Web policy element or directly to the SSL VPN policy. You need to remove the user from either of those areas before you can delete them. For users, the XG does not do a regressive delete and does not remove them from anywhere they have been manually assigned.

Can you find the above and try and delete again?

Emile

Hi,

I only use groups as assigning anything directly is not practical.

Also double checked this is not the case

Hi Kimmo,

Unfortunately, the only reason why a user cannot be deleted is because it is being used somewhere in a manual assignment. This needs to be found and removed before it can be deleted.

Emile

As I said this is not the case. This is a week old installation without any policies assigned to users directly.

AD integration is broken as it also has been reported to be broken in 17.1 versions so most likely same codebase is being used for 17.5

Hi Kimmo,

If the user is corrupt then you need to speak to support the help them diagnose the issue as apart from the reasons i have mentioned, there should be very little reason you cannot delete a user from the XG.

It is not just policies, it is any subsystem you can add a user to. That includes Sophos Connect, SSL VPN, Web Policy assignment etc.

I am not aware of any AD integration issues, other than configuration issues, on any of the installs i have done in the past 6 months.

Emile

There were some posts on forums regarding AD groups integration.

Seems that this problematic user is not being removed from the ACL_VPN_Access group.

If i create new user and add it to same group and later remove user from group then user gets removed from group on XG side also.

Hello Kimmo,

Thank you for the update, could please confirm if you have remove Mac Binding for this user.

Hello Kimmo,

Thank you for the update, could please confirm if you have remove Mac Binding for this user.

Thank you for the "Hint".

This is the right Soultion after Upgrade to 17.5