Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 12 replies
  • Subscribers 37 subscribers
  • Views 20099 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Troubleshooting 0 Byte SSL VPN File

FloSupport

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Hi Community,

In certain user situations, the SSL VPN Client download may incorrectly be presented as a 0 byte download from the User Portal.

This Community post outlines several troubleshooting suggestions.

Ensure the default / custom CA details are properly configured

  • Is a custom CA being used?
    • If so, does the issue occur if the default self-signed certificate is used instead?

If using the default self-signed certificate resolves the issue, please verify the custom CA is properly assembled (proper signing CA, etc.)

User Certificate Generation is failing

To regenerate an individual user's SSL VPN certificate, you will have to navigate on the XG GUI and delete their user certificate (Certificates > Certificates)

    • Their user certificate will then be regenerated the next time the user signs into the XG User Portal and downloads their SSL VPN Configuration.

If you are still experiencing issues, you can regenerate the Default CA by navigating to Certificates > Certificate Authorities
This will force the regeneration of all SSL VPN user certificates and will also restart the SSL VPN service.

Note: that if any of these actions are performed, affected users will have to re-download their SSL VPN installation file to utilize the new certificate.

Check the /tmp partition on device

Navigate to the /tmp partition and investigate if the following SSL VPN files are present

  • # cd tmp
  • # cd /content/sslvpn
  • # ls
    • Confirm if the following SSL VPN files are present in /content/sslvpn:
    • rw-rr- 1 1000 100 413 Apr 24 2015 client-config-template.ovpn
    • rw-rr- 1 1000 100 111.1K Jun 17 19:35 ssl-vpn-config-installer.exe
    • rw-rr- 1 1000 100 1.4M Jun 17 19:35 ssl-vpn-client-installer.exe
    • rw-rr- 1 1000 100 72 Jun 17 19:49 U2DVERSION

If files are not present, try to manually update patterns for SSL VPN Module

  • If patterns fail to update, please contact Sophos Support

Check if the /tmp partition is full

  • # df –h
    • If full, please content Sophos Support for further assistance

Update the device’s patterns

 

Regards,



Edited TAGs for test
[edited by: emmosophos at 9:50 PM (GMT -7) on 13 Sep 2024]

  • Hello,

    the /content/sslvpn is not at /tmp you can find it at / (/content/sslvpn).

    On one of our Sophos XG the symlink was pointing to /content/sslvpn_1.01/0 and the directory "0" was not present" 

  • Hello,

    Thank you for the guide. It pointed me good direction. In my case, the problem was, that the symbolic link /content/sslvpn was broken. It was pointing to not existing directory /content/sslvpn_1.01/0 and it was supposed to point to /content/sslvpn_1.01/1.0.008/

    Commands to check the symbolic link and fix the issue in Advanced shell:

    Directories with installed Patterns:

    SG310_WP01_SFOS 17.5.14 MR-14-1# ls -ald /content/sslvpn_*/*
drwxr-xr-x    2 root     0             1024 Jan  2  2020 /content/sslvpn_1.00/1.0.007
drwxr-xr-x    2 root     0             1024 Nov 26 10:27 /content/sslvpn_1.01/1.0.008

    Get where symbolic is pointing if it exists. It should point to one of the directories with installed Patterns, so:

    SG310_WP01_SFOS 17.5.14 MR-14-1# ls -altr /content/sslvpn
lrwxrwxrwx    1 root     0               29 Nov 26 10:27 /content/sslvpn -> /content/sslvpn_1.01/1.0.008/

    In my case, the symbolic link existed, but was not correct:

    SG310_WP01_SFOS 17.5.14 MR-14-1# ls -altr /content/sslvpn
lrwxrwxrwx    1 root     0               22 Sep 10 20:48 sslvpn -> /content/sslvpn_1.01/0

    To fix this situation, I deleted old symbolic link and created new one:

    SG310_WP01_SFOS 17.5.14 MR-14-1# cd /content/
SG310_WP01_SFOS 17.5.14 MR-14-1# rm sslvpn
SG310_WP01_SFOS 17.5.14 MR-14-1# ln -s /content/sslvpn_1.01/1.0.008/ sslvpn

    BTW: The problem with 0Byte SSL VPN File was noticed after switching Cluster from Primary to Auxiliary appliance. The symbolic link was broken just on the appliance that was Auxiliary during Pattern update.     

    I hope this will help to someone.

  • in reply to Lukas Kacer

    Thank you!  Almost had Support getting us to regen CA and purge files etc ..

  • in reply to Lukas Kacer

    Thank very much, its worked fine for me.
    I did have same problem, in upgrade XG 17.5 MR5 to 17.5 MR15.
    Regards;

  • Doesnt work. We have this error while generating Config:

    2021-09-19 15:25:49,927:ERROR:CSC - Exception in getStatusFromResponse() :java.lang.NumberFormatException: For input string: ""java.lang.NumberFormatException: For input string: ""
    at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
    at java.lang.Integer.parseInt(Integer.java:592)
    at java.lang.Integer.parseInt(Integer.java:615)
    at cyberoam.corporate.csc.client.CSCClient.getStatusFromResponse(CSCClient.java:623)
    at cyberoam.corporate.csc.client.CSCClient.sendUDP(CSCClient.java:459)
    at cyberoam.corporate.csc.client.CSCClient._send(CSCClient.java:402)
    at cyberoam.corporate.csc.client.CSCClient.send(CSCClient.java:147)
    at cyberoam.corporate.csc.client.CSCClient.sendWizardEvent(CSCClient.java:1097)
    at cyberoam.corporate.csc.client.CSCClient.sendWizardEvent(CSCClient.java:949)
    at org.apache.jsp.webpages.sslvpnuserportal.clientdownload_jsp._jspService(clientdownload_jsp.java:301)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
    at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
    at cyberoam.utilities.csrf.CSRFCheckFilter.doFilter(CSRFCheckFilter.java:171)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
    at cyberoam.sessionmanagement.SessionCheckHelper.filter(SessionCheckHelper.java:109)
    at cyberoam.sessionmanagement.SessionCheckFilter.doFilter(SessionCheckFilter.java:64)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
    at org.eclipse.jetty.server.Server.handle(Server.java:502)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
    at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
    at java.lang.Thread.run(Thread.java:748)

    2021-09-19 15:25:49,928:ERROR:SSL VPN - Exception while preparing download of SSLVPN/auth clients: java.lang.StringIndexOutOfBoundsException: String index out of range: -1
    at java.lang.String.substring(String.java:1960)
    at org.apache.jsp.webpages.sslvpnuserportal.clientdownload_jsp._jspService(clientdownload_jsp.java:307)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
    at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
    at cyberoam.utilities.csrf.CSRFCheckFilter.doFilter(CSRFCheckFilter.java:171)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
    at cyberoam.sessionmanagement.SessionCheckHelper.filter(SessionCheckHelper.java:109)
    at cyberoam.sessionmanagement.SessionCheckFilter.doFilter(SessionCheckFilter.java:64)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
    at org.eclipse.jetty.server.Server.handle(Server.java:502)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
    at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
    at java.lang.Thread.run(Thread.java:748)

  • in reply to Yunus Tuncer

    Hello Yunus Tuncer,

    Thank you for reaching out to the Sophos Community. 

    Is it possible for you to confirm which version of XG device you are using, as well as the firmware? 

    Thank you,
    Kushal Lakhan
    Global Community Support Engineer | Global Community Team
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link. 

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Unfiltered HTML