We have a case open for this with support but wondering if anyone else can shed any light as progress seems to have stalled.
We have a customer with a long AD domain name e.g. companydomain.companywebsite.co.uk and have just installed an XG230 + SSL VPN using Sophos Connect 2.0.
We have found that some users when connecting, cannot connect by the SSL VPN (using AD integration for authentication).
Looking at the logs, it seems to indicate TLS negotiation errors for the affected users but others can connect fine.
During our testing, we believe there may be an issue due to the domain length causing issues.
On the client, when they try to connect, they get an 'Policy Mismatch Error' or they get a connection failed (generic type) error.
The user can access the user portal fine but either SSL VPN Client or Sophos Connect 2.0 client both fail to connect with same behaviour.
In the logs, we have seen messages in the vpn client log like the below
Sat Oct 3 16:25:42 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Oct 3 16:25:42 2020 TLS Error: TLS handshake failed
We've also seen errors like the below in the firewall log, which we feel may have highlighted the actual issue being to do with the username / least the length of the string.
CN=firstname.surname@companydomain.companywebsite.co.uk_173E6175DDF, emailAddress=thexg@companydomain.co.uk') -- note that the username length is limited to 64 characters
Now, the users actual user logon name is well under 64 characters but when you take the domain name into account and include the suffix added at the end by the client/firewall, it actually is 64 characters long and seems to break something and fails to connect.
During testing for the customer, I found that if the CN was 64 or 63 characters long, it seems to break the setup and the VPN won't connect.
We've seen that most of the users who are affected are around 63 - 65 characters long for this CN string whereas the usernames are 14 - 15 characters long themselves.
I've not got another device to test on a lab domain with a similar length (37 chars for the ad domain name) to verify this on a clean setup but we're running out of ideas.
It could be a red herring but the fact I can change the username to 1 character shorter and it works - note, there are no spaces, special characters or umlauts in the usernames.
Ideally, we don't want to rename the domain as the knock on effect is huge but I'm not sure what else we can do at this point.
Any ideas ?
This thread was automatically locked due to age.
