Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 55197 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Client Reconnecting Error

Desmond Besa

Hi,

 

I am setting up a new Sophos XG 330. I have setup VPN already and I havce downloaded the config file and installer via user portal. But once I connect to SSL VPN, the connection is looping / resetting. PLease see screenshot below:

 

Do I need to unblock something?

 

Thanks.

 

Desmond



This thread was automatically locked due to age.
Parents
  • 0

    Desmond,

    Did you configure the override hostname on ssl vpn under vpn > vpn settings?

    It seems you are using not a public ip on ssl vpn config

    Thanks

  • 0 in reply to lferrara

    Hey Luk,

     

    I filled out the override hostname but still the same loop:

     

     

    Here are the event logs:

     

    Sat Jul 08 22:44:55 2017 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Sat Jul 08 22:44:55 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Enter Management Password:
    Sat Jul 08 22:44:55 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Sat Jul 08 22:44:55 2017 Need hold release from management interface, waiting...
    Sat Jul 08 22:44:55 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Sat Jul 08 22:44:55 2017 MANAGEMENT: CMD 'state on'
    Sat Jul 08 22:44:55 2017 MANAGEMENT: CMD 'log all on'
    Sat Jul 08 22:44:55 2017 MANAGEMENT: CMD 'hold off'
    Sat Jul 08 22:44:55 2017 MANAGEMENT: CMD 'hold release'
    Sat Jul 08 22:45:01 2017 MANAGEMENT: CMD 'username "Auth" "d.besa_adm"'
    Sat Jul 08 22:45:01 2017 MANAGEMENT: CMD 'password [...]'
    Sat Jul 08 22:45:01 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sat Jul 08 22:45:01 2017 Attempting to establish TCP connection with [AF_INET]45.125.171.16:8443 [nonblock]
    Sat Jul 08 22:45:01 2017 MANAGEMENT: >STATE:1499510701,TCP_CONNECT,,,,,,
    Sat Jul 08 22:45:02 2017 TCP connection established with [AF_INET]45.125.171.16:8443
    Sat Jul 08 22:45:02 2017 TCPv4_CLIENT link local: [undef]
    Sat Jul 08 22:45:02 2017 TCPv4_CLIENT link remote: [AF_INET]45.125.171.16:8443
    Sat Jul 08 22:45:02 2017 MANAGEMENT: >STATE:1499510702,WAIT,,,,,,
    Sat Jul 08 22:45:02 2017 MANAGEMENT: >STATE:1499510702,AUTH,,,,,,
    Sat Jul 08 22:45:02 2017 TLS: Initial packet from [AF_INET]45.125.171.16:8443, sid=50f53c5e 202b906f
    Sat Jul 08 22:45:02 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sat Jul 08 22:45:03 2017 VERIFY OK: depth=1, C=GB, ST=Oxfordshire, L=Abingdon, O=Sophos, OU=OU, CN=Sophos_CA, emailAddress=support@sophos.com
    Sat Jul 08 22:45:03 2017 VERIFY X509NAME OK: C=NZ, ST=Auckland, L=Auckland, O=StretchSense, Ltd., OU=OU, CN=SophosApplianceCertificate_C31056MMF98W2D8, emailAddress=it@stretchsense.co.nz
    Sat Jul 08 22:45:03 2017 VERIFY OK: depth=0, C=NZ, ST=Auckland, L=Auckland, O=StretchSense, Ltd., OU=OU, CN=SophosApplianceCertificate_C31056MMF98W2D8, emailAddress=it@stretchsense.co.nz
    Sat Jul 08 22:45:03 2017 Connection reset, restarting [0]
    Sat Jul 08 22:45:03 2017 SIGUSR1[soft,connection-reset] received, process restarting
    Sat Jul 08 22:45:03 2017 MANAGEMENT: >STATE:1499510703,RECONNECTING,connection-reset,,,,,
    Sat Jul 08 22:45:03 2017 Restart pause, 5 second(s)
    Sat Jul 08 22:45:08 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sat Jul 08 22:45:08 2017 Attempting to establish TCP connection with [AF_INET]10.255.0.1:8443 [nonblock]
    Sat Jul 08 22:45:08 2017 MANAGEMENT: >STATE:1499510708,TCP_CONNECT,,,,,,

     

     

    I never had this issue before in setting up VPN in the demo unit which is XG 135w. Is this caused by the new firmware and SSL VPN Client?

     

    Thanks.

     

    Desmond

  • 0 in reply to Desmond Besa

    Desmond,

    make sure to download the SSL vpn config again from user portal.

    Regards

  • 0 in reply to lferrara

    I did. Still the same issue. I guess there's no problem with the AD authentication because I can login to the User Portal using my AD Credentials with no issuess at all. Hmmm...

  • 0 in reply to Desmond Besa

    Hello Desmond,


    I am using UDP without problems for SSL VPN transmission on XG. Can you experiment with UDP?
    Second thing, do you have a VPN firewall rule for LAN / DMZ / etc which as source has VPN zone and network ## ALL_SSLVPN_RW eg?
    Also check the VPN client, eg a newer version of OpenVPN 2.4.2 x86_64-w64-mingw32.
    I assume you have configured "default" in Certificate Authorities.

    Regards
    Jan

  • 0 in reply to JanSadlik

    Hi Jan,

     

    Thank for replying. I will try UDP.

     

    Here are my FW Rules

     

    Yes I have configured default in Certificate Authorities.

     

    Thanks,

Reply Children
  • +1 in reply to Desmond Besa

    Hi, Desmond,

    I see that you have a fully open firewall. Probably for the test. The WANtoVPN rule is not needed. From the log that you presented earlier, I conclude that there is probably a problem with the certificates associated with the user. You should check them and maybe regenerate them. Below I present working definitions and logs from my XG. Maybe something will help you. If users are imported from Windows AD then you need to check whether they have permission to access the SSL VPN channel (user and group).

     SSL VPN Settings:

    VPN to LAN Rule:

    Working log:

    Sat Jul 08 20:44:25 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
    Sat Jul 08 20:44:25 2017 Windows version 6.2 (Windows 8 or greater) 64bit
    Sat Jul 08 20:44:25 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10
    Enter Management Password:
    Sat Jul 08 20:44:25 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25345
    Sat Jul 08 20:44:25 2017 Need hold release from management interface, waiting...
    Sat Jul 08 20:44:25 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25345
    Sat Jul 08 20:44:25 2017 MANAGEMENT: CMD 'state on'
    Sat Jul 08 20:44:25 2017 MANAGEMENT: CMD 'log all on'
    Sat Jul 08 20:44:25 2017 MANAGEMENT: CMD 'echo all on'
    Sat Jul 08 20:44:25 2017 MANAGEMENT: CMD 'hold off'
    Sat Jul 08 20:44:25 2017 MANAGEMENT: CMD 'hold release'
    Sat Jul 08 20:44:31 2017 MANAGEMENT: CMD 'username "Auth" "jsa"'
    Sat Jul 08 20:44:31 2017 MANAGEMENT: CMD 'password [...]'
    Sat Jul 08 20:44:31 2017 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.
    Sat Jul 08 20:44:31 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:8443
    Sat Jul 08 20:44:31 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sat Jul 08 20:44:31 2017 UDP link local: (not bound)
    Sat Jul 08 20:44:31 2017 UDP link remote: [AF_INET]x.x.x.x:8443
    Sat Jul 08 20:44:31 2017 MANAGEMENT: >STATE:1499539471,WAIT,,,,,,
    Sat Jul 08 20:44:32 2017 MANAGEMENT: >STATE:1499539472,AUTH,,,,,,
    Sat Jul 08 20:44:32 2017 TLS: Initial packet from [AF_INET]x.x.x.x:8443, sid=0b1ec8e4 336be055
    Sat Jul 08 20:44:32 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sat Jul 08 20:44:32 2017 VERIFY OK: depth=1, C=GB, ST=Oxfordshire, L=Abingdon, O=Sophos, OU=OU, CN=Sophos_CA, emailAddress=support@sophos.com
    Sat Jul 08 20:44:32 2017 VERIFY OK: depth=0, C=GB, ST=Oxfordshire, L=Abingdon, O=Sophos, OU=OU, CN=SophosApplianceCertificate_C1503CD39MMMF00, emailAddress=support@sophos.com
    Sat Jul 08 20:44:33 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Sat Jul 08 20:44:33 2017 [SophosApplianceCertificate_C1503CD39MMMF00] Peer Connection Initiated with [AF_INET]x.x.x.x:8443
    Sat Jul 08 20:44:34 2017 MANAGEMENT: >STATE:1499539474,GET_CONFIG,,,,,,
    Sat Jul 08 20:44:34 2017 SENT CONTROL [SophosApplianceCertificate_C1503CD39MMMF00]: 'PUSH_REQUEST' (status=1)
    Sat Jul 08 20:44:39 2017 SENT CONTROL [SophosApplianceCertificate_C1503CD39MMMF00]: 'PUSH_REQUEST' (status=1)
    Sat Jul 08 20:44:39 2017 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.5,ping 45,ping-restart 180,route 192.168.10.0 255.255.255.0,route 192.168.10.110 255.255.255.255,route 192.168.10.101 255.255.255.255,route 192.168.10.70 255.255.255.255,route 192.168.10.71 255.255.255.255,route 192.168.10.5 255.255.255.255,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 1800 15360,ifconfig 10.81.234.6 255.255.255.0'
    Sat Jul 08 20:44:39 2017 OPTIONS IMPORT: timers and/or timeouts modified
    Sat Jul 08 20:44:39 2017 OPTIONS IMPORT: --ifconfig/up options modified
    Sat Jul 08 20:44:39 2017 OPTIONS IMPORT: route options modified
    Sat Jul 08 20:44:39 2017 OPTIONS IMPORT: route-related options modified
    Sat Jul 08 20:44:39 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sat Jul 08 20:44:39 2017 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Sat Jul 08 20:44:39 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sat Jul 08 20:44:39 2017 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Sat Jul 08 20:44:39 2017 interactive service msg_channel=592
    Sat Jul 08 20:44:39 2017 ROUTE_GATEWAY 192.168.130.1/255.255.255.0 I=20 HWADDR=24:77:03:43:73:84
    Sat Jul 08 20:44:39 2017 open_tun
    Sat Jul 08 20:44:39 2017 TAP-WIN32 device [Ethernet] opened: \\.\Global\{2DF0D577-3E66-4377-B801-8EFA6B9ADBF8}.tap
    Sat Jul 08 20:44:39 2017 TAP-Windows Driver Version 9.21
    Sat Jul 08 20:44:39 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.6/255.255.255.0 [SUCCEEDED]
    Sat Jul 08 20:44:39 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.6/255.255.255.0 on interface {2DF0D577-3E66-4377-B801-8EFA6B9ADBF8} [DHCP-serv: 10.81.234.254, lease-time: 31536000]
    Sat Jul 08 20:44:39 2017 Successful ARP Flush on interface [7] {2DF0D577-3E66-4377-B801-8EFA6B9ADBF8}
    Sat Jul 08 20:44:39 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Sat Jul 08 20:44:39 2017 MANAGEMENT: >STATE:1499539479,ASSIGN_IP,,10.81.234.6,,,,
    Sat Jul 08 20:44:43 2017 TEST ROUTES: 7/7 succeeded len=7 ret=1 a=0 u/d=up
    Sat Jul 08 20:44:43 2017 MANAGEMENT: >STATE:1499539483,ADD_ROUTES,,,,,,
    Sat Jul 08 20:44:43 2017 C:\WINDOWS\system32\route.exe ADD 192.168.10.0 MASK 255.255.255.0 10.81.234.5
    Sat Jul 08 20:44:43 2017 Route addition via service succeeded
    ......

    Regards
    Jan

  • 0 in reply to JanSadlik

    Hey Jan,

     

    Yah it is lol. Its just an initial setup. Im still gonna do some tidying up to secure the firewall properly. Anyway, I think I was able to figure it out. You were right, it was about the Certificate Authorization. Thanks for the prompt reply. I really appreciate all the help and patience. Btw, do you recommend any Firewall Rules Best practices for Sophos?

     

    Thanks.

  • +1 in reply to Desmond Besa

    I encountered this issue several times. Certificate generation does not work. I guess it is a bug under certain circumstances.

    For the vpn, create a vpn to LAN rule where you allow the protocols you need towards the internal services.

    Keep in mind that you must be restrictive. More restrictive you are more probably you are safer.

    Thanks

  • 0 in reply to lferrara

    Yah. I am still doing sweeps on the rules. Thanks for everything. 

     

    D