We upgraded one of our Firewalls to SFOS 18.0.3 MR-3 from 18.0.1 MR1 and our SSL VPN clients quit working.
We get the error:
the system tried to join a drive to a directory on a joined drive
Any thoughts on the cause?
Hello April,
Thank you for contacting the Sophos Community!
Please check if you don't have any DNAT rule with the service set as ANY.
If you don't have any DNAT rule with service set as ANY, please share the logs from one of the clients and the /log/sslvpn.log
Regards,
No DNAT:
Server log
Tue Nov 3 00:28:28 2020 [8020] TCP connection established with [AF_INET6]::ffff:107.6.183.162:34169
Tue Nov 3 00:28:28 2020 [8020] ::ffff:107.6.183.162 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 00:28:28 2020 [8020] ::ffff:107.6.183.162 Connection reset, restarting [0]
Tue Nov 3 00:28:28 2020 [8020] ::ffff:107.6.183.162 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 00:28:28 2020 [8020] TCP connection established with [AF_INET6]::ffff:107.6.183.162:34660
Tue Nov 3 00:28:28 2020 [8020] ::ffff:107.6.183.162 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 00:28:28 2020 [8020] ::ffff:107.6.183.162 Connection reset, restarting [0]
Tue Nov 3 00:28:28 2020 [8020] ::ffff:107.6.183.162 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 00:28:29 2020 [8020] TCP connection established with [AF_INET6]::ffff:107.6.183.162:35366
Tue Nov 3 00:28:29 2020 [8020] ::ffff:107.6.183.162 WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 00:28:29 2020 [8020] ::ffff:107.6.183.162 Connection reset, restarting [0]
Tue Nov 3 00:28:29 2020 [8020] ::ffff:107.6.183.162 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 00:28:29 2020 [8020] TCP connection established with [AF_INET6]::ffff:107.6.183.162:36260
Tue Nov 3 00:28:34 2020 [8020] ::ffff:107.6.183.162 Connection reset, restarting [0]
Tue Nov 3 00:28:34 2020 [8020] ::ffff:107.6.183.162 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 00:28:35 2020 [8020] TCP connection established with [AF_INET6]::ffff:107.6.183.162:44330
Tue Nov 3 00:28:42 2020 [8020] CID is :3205
Tue Nov 3 00:28:43 2020 [8020] ::ffff:107.6.183.162 Connection reset, restarting [0]
Tue Nov 3 00:28:43 2020 [8020] ::ffff:107.6.183.162 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 00:28:43 2020 [8020] TCP connection established with [AF_INET6]::ffff:107.6.183.162:57314
Tue Nov 3 00:28:43 2020 [8020] ::ffff:107.6.183.162 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 00:28:43 2020 [8020] ::ffff:107.6.183.162 Connection reset, restarting [0]
Tue Nov 3 00:28:43 2020 [8020] ::ffff:107.6.183.162 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 00:28:44 2020 [8020] TCP connection established with [AF_INET6]::ffff:107.6.183.162:58512
Tue Nov 3 00:28:44 2020 [8020] ::ffff:107.6.183.162 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 00:28:44 2020 [8020] ::ffff:107.6.183.162 Connection reset, restarting [0]
Tue Nov 3 00:28:44 2020 [8020] ::ffff:107.6.183.162 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 00:28:44 2020 [8020] TCP connection established with [AF_INET6]::ffff:107.6.183.162:60958
Tue Nov 3 00:28:44 2020 [8020] ::ffff:107.6.183.162 WARNING: Bad encapsulated packet length from peer (32814), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 00:28:44 2020 [8020] ::ffff:107.6.183.162 Connection reset, restarting [0]
Tue Nov 3 00:28:44 2020 [8020] ::ffff:107.6.183.162 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 01:19:19 2020 [8020] TCP connection established with [AF_INET6]::ffff:128.14.134.170:47674
Tue Nov 3 01:19:19 2020 [8020] ::ffff:128.14.134.170 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 01:19:19 2020 [8020] ::ffff:128.14.134.170 Connection reset, restarting [0]
Tue Nov 3 01:19:19 2020 [8020] ::ffff:128.14.134.170 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 04:44:34 2020 [8020] TCP connection established with [AF_INET6]::ffff:46.246.62.206:36474
Tue Nov 3 04:44:34 2020 [8020] ::ffff:46.246.62.206 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 04:44:34 2020 [8020] ::ffff:46.246.62.206 Connection reset, restarting [0]
Tue Nov 3 04:44:34 2020 [8020] ::ffff:46.246.62.206 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 05:29:13 2020 [8020] TCP connection established with [AF_INET6]::ffff:182.124.56.252:47450
Tue Nov 3 05:29:14 2020 [8020] ::ffff:182.124.56.252 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 05:29:14 2020 [8020] ::ffff:182.124.56.252 Connection reset, restarting [0]
Tue Nov 3 05:29:14 2020 [8020] ::ffff:182.124.56.252 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 05:48:26 2020 [8020] TCP connection established with [AF_INET6]::ffff:51.254.75.176:59938
Tue Nov 3 05:48:26 2020 [8020] ::ffff:51.254.75.176 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 05:48:26 2020 [8020] ::ffff:51.254.75.176 Connection reset, restarting [0]
Tue Nov 3 05:48:26 2020 [8020] ::ffff:51.254.75.176 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 05:52:58 2020 [8020] TCP connection established with [AF_INET6]::ffff:138.68.26.56:57930
Tue Nov 3 05:52:58 2020 [8020] ::ffff:138.68.26.56 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 05:52:58 2020 [8020] ::ffff:138.68.26.56 Connection reset, restarting [0]
Tue Nov 3 05:52:58 2020 [8020] ::ffff:138.68.26.56 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 05:55:36 2020 [8020] TCP connection established with [AF_INET6]::ffff:51.254.75.188:49788
Tue Nov 3 05:55:36 2020 [8020] ::ffff:51.254.75.188 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 05:55:36 2020 [8020] ::ffff:51.254.75.188 Connection reset, restarting [0]
Tue Nov 3 05:55:36 2020 [8020] ::ffff:51.254.75.188 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 06:21:10 2020 [8020] TCP connection established with [AF_INET6]::ffff:216.218.206.66:35538
Tue Nov 3 06:21:10 2020 [8020] ::ffff:216.218.206.66 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Nov 3 06:21:10 2020 [8020] ::ffff:216.218.206.66 Connection reset, restarting [0]
Tue Nov 3 06:21:10 2020 [8020] ::ffff:216.218.206.66 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 3 06:23:09 2020 [8020] Closing TUN/TAP interface
Tue Nov 3 06:23:09 2020 [8020] /bin/ip addr del dev tun0 10.255.255.1/24
Tue Nov 3 06:23:10 2020 [8020] /bin/ip -6 addr del 2001:db8::1:0/64 dev tun0
Tue Nov 3 06:23:10 2020 [8020] PLUGIN_CLOSE: /lib/openvpn-plugin-utm.so
Tue Nov 3 06:23:10 2020 [8020] SIGTERM[hard,] received, process exiting
Tue Nov 3 06:32:01 2020 [10749] OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 8 2020
Tue Nov 3 06:32:01 2020 [10749] library versions: OpenSSL 1.0.2r-fips 26 Feb 2019, LZO 2.09
Tue Nov 3 06:32:01 2020 [10749] MANAGEMENT: client_uid=0
Tue Nov 3 06:32:01 2020 [10749] MANAGEMENT: unix domain socket listening on /tmp/openvpn_mgmt
Tue Nov 3 06:32:01 2020 [10749] cleanup success
Tue Nov 3 06:32:01 2020 [10749] WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Tue Nov 3 06:32:01 2020 [10749] WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Tue Nov 3 06:32:01 2020 [10749] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
grhandle=0x926b530
Authentication server 127.0.0.1 gave login response code 2
Tue Nov 3 06:32:01 2020 [10749] PLUGIN_INIT: POST /lib/openvpn-plugin-utm.so '[/lib/openvpn-plugin-utm.so]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
Tue Nov 3 06:32:01 2020 [10749] Diffie-Hellman initialized with 2048 bit key
Tue Nov 3 06:32:01 2020 [10749] WARNING: file '/conf/certificate/private/ApplianceCertificate.key' is group or others accessible
Tue Nov 3 06:32:01 2020 [10749] WARNING: experimental option --capath /conf/certificate/openvpn
Tue Nov 3 06:32:01 2020 [10749] Socket Buffers: R=[87380->87380] S=[16384->16384]
Tue Nov 3 06:32:01 2020 [10749] TUN/TAP device tun0 opened
Tue Nov 3 06:32:01 2020 [10749] TUN/TAP TX queue length set to 1000
Tue Nov 3 06:32:01 2020 [10749] do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Tue Nov 3 06:32:01 2020 [10749] /bin/ip link set dev tun0 up mtu 1500
Tue Nov 3 06:32:01 2020 [10749] /bin/ip addr add dev tun0 10.255.255.1/24 broadcast 10.255.255.255
Tue Nov 3 06:32:01 2020 [10749] /bin/ip -6 addr add 2001:db8::1:0/64 dev tun0
Tue Nov 3 06:32:01 2020 [10749] CSC service status updated to RUNNING
Tue Nov 3 06:32:01 2020 [10749] Listening for incoming TCP connection on [undef]
Tue Nov 3 06:32:01 2020 [10749] TCPv6_SERVER link local (bound): [undef]
Tue Nov 3 06:32:01 2020 [10749] TCPv6_SERVER link remote: [undef]
Tue Nov 3 06:32:01 2020 [10749] MULTI: multi_init called, r=256 v=256
Tue Nov 3 06:32:01 2020 [10749] IFCONFIG POOL IPv6: (IPv4) size=253, size_ipv6=65536, netbits=64, base_ipv6=2001:db8::1:1
Tue Nov 3 06:32:01 2020 [10749] IFCONFIG POOL: base=10.255.255.2 size=253, ipv6=1
Tue Nov 3 06:32:01 2020 [10749] IFCONFIG POOL LIST
Tue Nov 3 06:32:01 2020 [10749] MULTI: TCP INIT maxclients=440 maxevents=444
Tue Nov 3 06:32:01 2020 [10749] Initialization Sequence Completed
Tue Nov 3 08:31:21 2020 [10749] MANAGEMENT: Client connected from /tmp/openvpn_mgmt
Tue Nov 3 08:31:21 2020 [10749] MANAGEMENT: CMD 'status -1'
Tue Nov 3 08:31:31 2020 [10749] MANAGEMENT: Client disconnected
Client log
Thu Nov 05 11:41:16 2020 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
Thu Nov 05 11:41:16 2020 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
Enter Management Password:
Thu Nov 05 11:41:16 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Nov 05 11:41:16 2020 Need hold release from management interface, waiting...
Thu Nov 05 11:41:17 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Nov 05 11:41:17 2020 MANAGEMENT: CMD 'state on'
Thu Nov 05 11:41:17 2020 MANAGEMENT: CMD 'log all on'
Thu Nov 05 11:41:17 2020 MANAGEMENT: CMD 'hold off'
Thu Nov 05 11:41:17 2020 MANAGEMENT: CMD 'hold release'
Thu Nov 05 11:41:26 2020 MANAGEMENT: CMD 'username "Auth" "pompey"'
Thu Nov 05 11:41:26 2020 MANAGEMENT: CMD 'password [...]'
Thu Nov 05 11:41:26 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Nov 05 11:41:26 2020 Attempting to establish TCP connection with [AF_INET]68.142.164.248:8443 [nonblock]
Thu Nov 05 11:41:26 2020 MANAGEMENT: >STATE:1604594486,TCP_CONNECT,,,,,,
Thu Nov 05 11:41:36 2020 TCP: connect to [AF_INET]68.142.164.248:8443 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Thu Nov 05 11:41:40 2020 SIGTERM[hard,init_instance] received, process exiting
Thu Nov 05 11:41:40 2020 MANAGEMENT: >STATE:1604594500,EXITING,init_instance,,,,,
looks like your MTU is too large with 1572
do you have PPPoE dial in on your XG WAN interface?
I would check the setting of your WAN Interface. Did the clients install new VPN configs after the upgrade or do they have the same?
for a workaround try if setting a fix smaller MTU on a client works.
but I guess the bug is inside XG, not the VPN client.
I did reinstall the VPN config on the client. It did not fix the issue.
Hi all. just throwing my tuppence worth in.
I'm on 18.0.1 MR1, I had this same problem and although I have not found the easy fix, I feel the problem is something to do with the PCs..
I'm also only experiencing this on DELL machines, and the fix for me was to reinstall windows (wipe hard drive, fresh install) and the problem goes away. so using the same sslVPN installer, same firewall (nothing has changed) I'd already tried to remove all recent windows and DELL updates to no effect. but a full re-install sorted it. (10 Pcs/ 1 laptop had the same issue).
I am not wiping a couple dozen laptops. A roll back of the firewall firmware fixed the issue. I guess I will log a ticket and see if I can get any support for the issue. Now is not the time to break VPNs with all of workforce having remote access because of COVID and working from home at least once a week.
from what I read about that "Bad encapsulated packet length from peer" followed by strange packet size value, maybe related to Userportal available from public internet on port 443 and SSL VPN server listening on 443 as well.
Sophos devices, UTM and XG, have ever had problems with this configuration. Never the less this is the default configuration of the machines.
So my experience with this is since UTM 8.x to use a different port for userportal. This is also what support recently confirmed after userportal became inaccessible from one day to an other without change in V18 MR1.
If you have time to test - disable userportal from WAN and try again to connect a client or change the port of userportal generally.
