Sophos Firewall - Unable to Download SSL VPN Client/Config via User Portal

Hi Patrick Thomas1

Please share the status of the firmware shown on GUI under  System-->Admininstration --->Backup and Firmware -->Firmware and Default CA under System-->Admininstration-->Certificate-->Certificate Authorities  Go to System -->Administration -->Time 

Thanks and Regards

Hi Bharat,

So we're experiencing this on a couple of devices running 18.5.2 MR-2-Build380.

The time on these devices are correct.

Im not sure what information you need for the 'Default' CA, however the information within does not reflect our circumstances, i.e. the Country Name is not the one they reside in. As a note though, we do not use the 'Default' certificate in Configure > VPN > Show VPN Settings (both appliances affected use custom, valid, certificates, and have done so far without issue in this regard).

ptho said:

Country Name is not the one they reside in.

Please share the snapshot  'Default' CA, which country it is showing by default now ?

If the information on Default CA is not proper try to update Default CA as per the below link and check if you are able to download the client from the user portal or not : 

https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/DefaultCertificateAuthorityEdit.html 

Share the output, might you have to regenerate Appliance certificate as well to in case of not working after checking with Default CA 

https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/RegeneratingCertificateAuthority.html 

I would suggest you check the issue with the latest firmware version refer to the link for the same  : 

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available 

Thanks and Regards

please show a screenshot of backup+firmare/pattern updates

looking for status of SSLVPN Clients component

this link helps you to find out, if the files do even exist on your XG firewall:

community.sophos.com/.../ssl-vpn-client-downloads-are-not-being-generated

Above is the screenshot of the Pattern Updates pane. I'll check the link sent to see if I can determine the issue.

Hi Bharat,

Just a couple of questions here though. As before, the download works fine on a macOS device running in the same environment/Time/Zone as the Windows device. So changing the CA on the appliance wouldn't logically make a difference? And with  a custom certificate being used, how does this affect the Default CA?

I'm hesitant to make any changes to the Certificates as this may affect the many existing SSL VPN users whose service remains unaffected at present. And as with the above clarification, the downloads do appear to work on a different OS.

I've personally tried to replicate this as myself. On a Windows device it did not work, but on the macOS device it did. This was actioned within moments of the other.

Many Thanks

Yes, if any of these actions are performed which I mentioned, affected users will have to re-download their SSL VPN installation file to utilize the new certificate.

Take backup before making any changes.

How many users are connecting with a remote VPN? you can check the current status where the configuration is broken as per the steps : 

Check the /tmp partition on device

• Reference this KBA to access the device’s advanced shell:
  • Sophos XG Firewall: How to SSH to the firewall using PuTTY utility

  • Navigate to the /tmp partition and investigate if the following SSL VPN files are present

    • # cd tmp
    • # cd /content/sslvpn
    • # ls
      • Confirm if the following SSL VPN files are present in /content/sslvpn:
      • rw-rr- 1 1000 100 client-config-template.ovpn
      • rw-rr- 1 1000 100 111.1K  ssl-vpn-config-installer.exe
      • rw-rr- 1 1000 100 1.4M  ssl-vpn-client-installer.exe
      • rw-rr- 1 1000 100  U2DVERSION

SFVUNL_SO01_SFOS 19.0.# ls -larth

Check if the /tmp partition is full

• # df –h     

If files are not present, 

• Try performing a manual pattern update
• Backup & firmware > Pattern Updates > “Update Pattern” Click on update pattern now 

Share the status and output 

Regards

Yes, if any of these actions are performed which I mentioned, affected users will have to re-download their SSL VPN installation file to utilize the new certificate.

Take backup before making any changes.

How many users are connecting with a remote VPN? you can check the current status where the configuration is broken as per the steps : 

Check the /tmp partition on device

• Reference this KBA to access the device’s advanced shell:
  • Sophos XG Firewall: How to SSH to the firewall using PuTTY utility

  • Navigate to the /tmp partition and investigate if the following SSL VPN files are present

    • # cd tmp
    • # cd /content/sslvpn
    • # ls
      • Confirm if the following SSL VPN files are present in /content/sslvpn:
      • rw-rr- 1 1000 100 client-config-template.ovpn
      • rw-rr- 1 1000 100 111.1K  ssl-vpn-config-installer.exe
      • rw-rr- 1 1000 100 1.4M  ssl-vpn-client-installer.exe
      • rw-rr- 1 1000 100  U2DVERSION

SFVUNL_SO01_SFOS 19.0.# ls -larth

Check if the /tmp partition is full

• # df –h     

If files are not present, 

• Try performing a manual pattern update
• Backup & firmware > Pattern Updates > “Update Pattern” Click on update pattern now 

Share the status and output 

Regards

Hi Bharat,

We want to avoid having to have our users re download the client. Currently they're all working, and we can still have some users download the exe/config without issue. So as I say, it's sporadic and doesn't utilise the default CA as far as I understand, as the customer Certificate is in use.

I've SSH'd onto the XG appliance and there are all four files present as you mention. The permissions are slightly different, -rwxr-xr-x for the executables, but otherwise the same.

/tmp is showing as only 1% in use / 93.3M of 11.7G.

To reiterate, if an affected user tries another device, they can download the client. It would appear to be something to do with which client they are attempting to download from.

Hello ptho,

You can refer the following KBA below:
1.) Unable to download SSLVPN config from user portal: https://support.sophos.com/support/s/article/KB-000042043?language=en_US

download on such a client where it is not working with firefox and press F12 before to start the developer tools

Does it even load the js script to get the files? To me it looks like your client or browser does not like js from the userportal.

You wrote:

To reiterate, if an affected user tries another device, they can download the client. It would appear to be something to do with which client they are attempting to download from.

I would think this is no certificate issue on the FW. More an issue with AV software installed or strict script execution denial by the browser.