Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 7035 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to connect with Sophos VPN SSL client

NM_1987

While connecting SSL VPN using Sophos Connect Client, the VPN Client throws an error policy mismatch error, import new policy for this connection.

I've tried several times for different clients using SSL VPN Client, it is working fine as expected.

Following are the logs for the reference.

Mon Dec  6 12:45:27 2021 OpenVPN 2.5.0 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr  6 2020
Mon Dec  6 12:45:27 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Dec  6 12:45:27 2021 library versions: OpenSSL 1.1.1e  17 Mar 2020, LZO 2.10
Enter Management Password:
Mon Dec  6 12:45:27 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Dec  6 12:45:27 2021 Need hold release from management interface, waiting...
Mon Dec  6 12:45:27 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Dec  6 12:45:27 2021 MANAGEMENT: CMD 'state on'
Mon Dec  6 12:45:27 2021 MANAGEMENT: CMD 'log all on'
Mon Dec  6 12:45:27 2021 MANAGEMENT: CMD 'echo all on'
Mon Dec  6 12:45:27 2021 MANAGEMENT: CMD 'bytecount 5'
Mon Dec  6 12:45:27 2021 MANAGEMENT: CMD 'hold off'
Mon Dec  6 12:45:27 2021 MANAGEMENT: CMD 'hold release'
Mon Dec  6 12:45:27 2021 MANAGEMENT: CMD 'username "Auth" FCAHelpDesk'
Mon Dec  6 12:45:27 2021 MANAGEMENT: CMD 'password [...]'
Mon Dec  6 12:45:27 2021 MANAGEMENT: >STATE:1638774927,RESOLVE,,,,,,
Mon Dec  6 12:45:27 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]41.193.254.55:8443
Mon Dec  6 12:45:27 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Dec  6 12:45:27 2021 Attempting to establish TCP connection with [AF_INET]41.193.254.55:8443 [nonblock]
Mon Dec  6 12:45:27 2021 MANAGEMENT: >STATE:1638774927,TCP_CONNECT,,,,,,
Mon Dec  6 12:45:47 2021 TCP: connect to [AF_INET]41.193.254.55:8443 failed: Unknown error
Mon Dec  6 12:45:47 2021 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Mon Dec  6 12:45:47 2021 MANAGEMENT: >STATE:1638774947,RECONNECTING,init_instance,,,,,
Mon Dec  6 12:45:47 2021 Restart pause, 5 second(s)
Mon Dec  6 12:45:52 2021 MANAGEMENT: >STATE:1638774952,RESOLVE,,,,,,
Mon Dec  6 12:45:52 2021 RESOLVE: Cannot resolve host address: SMDYasat.ddns.cyberoam.com:8443 (No such host is known. )
Mon Dec  6 12:45:52 2021 MANAGEMENT: >STATE:1638774952,RESOLVE,,,,,,
Mon Dec  6 12:45:52 2021 RESOLVE: Cannot resolve host address: SMDYasat.ddns.cyberoam.com:8443 (No such host is known. )
Mon Dec  6 12:45:52 2021 Could not determine IPv4/IPv6 protocol
Mon Dec  6 12:45:52 2021 SIGUSR1[soft,init_instance] received, process restarting
Mon Dec  6 12:45:52 2021 MANAGEMENT: >STATE:1638774952,RECONNECTING,init_instance,,,,,
Mon Dec  6 12:45:52 2021 Restart pause, 5 second(s)
Mon Dec  6 12:45:57 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]197.155.206.82:8443
Mon Dec  6 12:45:57 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Dec  6 12:45:57 2021 Attempting to establish TCP connection with [AF_INET]197.155.206.82:8443 [nonblock]
Mon Dec  6 12:45:57 2021 MANAGEMENT: >STATE:1638774957,TCP_CONNECT,,,,,,
Mon Dec  6 12:45:58 2021 TCP connection established with [AF_INET]197.155.206.82:8443
Mon Dec  6 12:45:58 2021 TCP_CLIENT link local: (not bound)
Mon Dec  6 12:45:58 2021 TCP_CLIENT link remote: [AF_INET]197.155.206.82:8443
Mon Dec  6 12:45:58 2021 MANAGEMENT: >STATE:1638774958,WAIT,,,,,,
Mon Dec  6 12:45:58 2021 MANAGEMENT: >STATE:1638774958,AUTH,,,,,,
Mon Dec  6 12:45:58 2021 TLS: Initial packet from [AF_INET]197.155.206.82:8443, sid=273e9868 a87deaf6
Mon Dec  6 12:45:58 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Dec  6 12:46:05 2021 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=ZA, ST=NA, L=NA, O=Armourteq, OU=OU, CN=Sophos_CA_C1403A44K3YYHC3, emailAddress=dave@firstconsulting.co.za
Mon Dec  6 12:46:05 2021 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Dec  6 12:46:05 2021 TLS_ERROR: BIO read tls_read_plaintext error
Mon Dec  6 12:46:05 2021 TLS Error: TLS object -> incoming plaintext read error
Mon Dec  6 12:46:05 2021 TLS Error: TLS handshake failed
Mon Dec  6 12:46:05 2021 Fatal TLS error (check_tls_errors_co), restarting
Mon Dec  6 12:46:05 2021 SIGUSR1[soft,tls-error] received, process restarting
Mon Dec  6 12:46:05 2021 MANAGEMENT: >STATE:1638774965,RECONNECTING,tls-error,,,,,
Mon Dec  6 12:46:05 2021 Restart pause, 5 second(s)
Mon Dec  6 12:46:06 2021 SIGTERM[hard,init_instance] received, process exiting
Mon Dec  6 12:46:06 2021 MANAGEMENT: >STATE:1638774966,EXITING,init_instance,,,,,


This thread was automatically locked due to age.
  • 0

    Hi : Thank you for reaching out to the Sophos community team. Seems the issue is related to "server_certificate: certificate verify failed". Please check the default CA details are filled up or proper on XG to complete the cert verification.

    If possible you may try by regenerating default CA (by editing and saving it with details) but that will result in the regeneration of all your certificates and will restart the SSL VPN service and may require re-import of the configuration file of SSL VPN to the end-user machine to connect over SSL VPN. Please ensure you may do this activity in odd hours with proper downtime for the safer side, so anything may impact then you may restore the backup.

    Note: Before proceeding with default CA regeneration, you may take a backup of the current configuration for safety measures. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    Hello

    Thanks for swift response.

    Let me try to regenerate the certificate and verify the status..

    -----------------------

    Thank & Regards,

    Nilesh Mojidra

    If a post solves your question, use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi Vishal,

    I have same issue, already tried to regenerate certificate, reimport on client, but is still persist same problem:

    Sun Feb  6 12:39:43 2022 library versions: OpenSSL 1.1.1e  17 Mar 2020, LZO 2.10
Enter Management Password:
Sun Feb  6 12:39:43 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Feb  6 12:39:43 2022 Need hold release from management interface, waiting...
Sun Feb  6 12:39:43 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Feb  6 12:39:43 2022 MANAGEMENT: CMD 'state on'
Sun Feb  6 12:39:43 2022 MANAGEMENT: CMD 'log all on'
Sun Feb  6 12:39:43 2022 MANAGEMENT: CMD 'echo all on'
Sun Feb  6 12:39:43 2022 MANAGEMENT: CMD 'bytecount 5'
Sun Feb  6 12:39:43 2022 MANAGEMENT: CMD 'hold off'
Sun Feb  6 12:39:43 2022 MANAGEMENT: CMD 'hold release'
Sun Feb  6 12:39:43 2022 MANAGEMENT: CMD 'username "Auth" ivan'
Sun Feb  6 12:39:43 2022 MANAGEMENT: CMD 'password [...]'
Sun Feb  6 12:39:43 2022 MANAGEMENT: >STATE:1644151183,RESOLVE,,,,,,
Sun Feb  6 12:39:43 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]88.157.97.97:8443
Sun Feb  6 12:39:43 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb  6 12:39:43 2022 Attempting to establish TCP connection with [AF_INET]88.157.97.97:8443 [nonblock]
Sun Feb  6 12:39:43 2022 MANAGEMENT: >STATE:1644151183,TCP_CONNECT,,,,,,
Sun Feb  6 12:40:03 2022 TCP: connect to [AF_INET]88.157.97.97:8443 failed: Unknown error
Sun Feb  6 12:40:03 2022 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sun Feb  6 12:40:03 2022 MANAGEMENT: >STATE:1644151203,RECONNECTING,init_instance,,,,,
Sun Feb  6 12:40:03 2022 Restart pause, 5 second(s)
Sun Feb  6 12:40:08 2022 MANAGEMENT: Client disconnected
Sun Feb  6 12:40:08 2022 All connections have been connect-retry-max (1) times unsuccessful, exiting
Sun Feb  6 12:40:08 2022 Exiting due to fatal error
Sun Feb  6 12:40:40 2022 OpenVPN 2.5.0 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr  6 2020
Sun Feb  6 12:40:40 2022 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Feb  6 12:40:40 2022 library versions: OpenSSL 1.1.1e  17 Mar 2020, LZO 2.10
Enter Management Password:
Sun Feb  6 12:40:40 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Feb  6 12:40:40 2022 Need hold release from management interface, waiting...
Sun Feb  6 12:40:40 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Feb  6 12:40:40 2022 MANAGEMENT: CMD 'state on'
Sun Feb  6 12:40:40 2022 MANAGEMENT: CMD 'log all on'
Sun Feb  6 12:40:40 2022 MANAGEMENT: CMD 'echo all on'
Sun Feb  6 12:40:40 2022 MANAGEMENT: CMD 'bytecount 5'
Sun Feb  6 12:40:40 2022 MANAGEMENT: CMD 'hold off'
Sun Feb  6 12:40:40 2022 MANAGEMENT: CMD 'hold release'
Sun Feb  6 12:40:40 2022 MANAGEMENT: CMD 'username "Auth" ivan'
Sun Feb  6 12:40:40 2022 MANAGEMENT: CMD 'password [...]'
Sun Feb  6 12:40:40 2022 MANAGEMENT: >STATE:1644151240,RESOLVE,,,,,,
Sun Feb  6 12:40:40 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]88.157.97.97:8443
Sun Feb  6 12:40:40 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb  6 12:40:40 2022 Attempting to establish TCP connection with [AF_INET]88.157.97.97:8443 [nonblock]
Sun Feb  6 12:40:40 2022 MANAGEMENT: >STATE:1644151240,TCP_CONNECT,,,,,,
Sun Feb  6 12:41:01 2022 TCP: connect to [AF_INET]88.157.97.97:8443 failed: Unknown error
Sun Feb  6 12:41:01 2022 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sun Feb  6 12:41:01 2022 MANAGEMENT: >STATE:1644151261,RECONNECTING,init_instance,,,,,
Sun Feb  6 12:41:01 2022 Restart pause, 5 second(s)
Sun Feb  6 12:41:06 2022 MANAGEMENT: Client disconnected
Sun Feb  6 12:41:06 2022 All connections have been connect-retry-max (1) times unsuccessful, exiting
Sun Feb  6 12:41:06 2022 Exiting due to fatal error
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?