Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 5970 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN not connecting

vasileiosg

Hello,

 

I have setup the SSL VPN but I cannot connect to it. When i try, the connection resets. Some logs perhaps might help below. Accessing the User portal doesn't seem to be an issue so i don't know what might be wrong.

 

Thanks in advance!

Sidenote: IPs and usernames have been removed and replaced with {}

On the UTM:

 

vpn-1 openvpn[9336]: {CLIENT IP ADDRESS}:24784 SIGUSR1[soft,connection-reset] received, client-instance restarting
vpn-1 openvpn[9336]: TCP connection established with [AF_INET]{ISP IP ADDRESS}:60864 (via [AF_INET]{SERVER IP ADDRESS}:443)
vpn-1 openvpn[9336]: {ISP IP ADDRESS}:60864 Non-OpenVPN client protocol detected
vpn-1 openvpn[9336]: {ISP IP ADDRESS}:60864 SIGTERM[soft,port-share-redirect] received, client-instance exiting
vpn-1 openvpn[9336]: TCP connection established with [AF_INET]{ISP ANOTHER IP ADDRESS}:50802 (via [AF_INET]{SERVER IP ADDRESS}:443)
vpn-1 openvpn[9336]: {ISP ANOTHER IP ADDRESS}:50802 Non-OpenVPN client protocol detected
vpn-1 openvpn[9336]: {ISP ANOTHER IP ADDRESS}:50802 SIGTERM[soft,port-share-redirect] received, client-instance exiting
vpn-1 openvpn[9336]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
vpn-1 openvpn[9336]: MANAGEMENT: CMD 'status -1'
vpn-1 openvpn[9336]: MANAGEMENT: Client disconnected
vpn-1 openvpn[9336]: TCP connection established with [AF_INET]{CLIENT IP ADDRESS}:28930 (via [AF_INET]{SERVER IP ADDRESS}:443)
vpn-1 openvpn[9336]: {CLIENT IP ADDRESS}:28930 TLS: Initial packet from [AF_INET]{CLIENT IP ADDRESS}:28930 (via [AF_INET]{SERVER IP ADDRESS}:443), sid=f09b225d 08e16e4c
vpn-1 openvpn[9336]: {CLIENT IP ADDRESS}:28930 Connection reset, restarting [-1]
vpn-1 openvpn[9336]: {CLIENT IP ADDRESS}:28930 SIGUSR1[soft,connection-reset] received, client-instance restarting

Client Side 1:


OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jun 25 2016
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Enter Management Password:
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
MANAGEMENT: CMD 'username "Auth" "{USER}"'
MANAGEMENT: CMD 'password [...]'
Socket Buffers: R=[65536->65536] S=[65536->65536]
MANAGEMENT: >STATE:1482303961,RESOLVE,,,,,,
Attempting to establish TCP connection with [AF_INET]{SERVER IP ADDRESS}:443 [nonblock]
MANAGEMENT: >STATE:1482303961,TCP_CONNECT,,,,,,
TCP connection established with [AF_INET]{SERVER IP ADDRESS}:443
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: [AF_INET]{SERVER IP ADDRESS}:443
MANAGEMENT: >STATE:1482303962,WAIT,,,,,,
MANAGEMENT: >STATE:1482303962,AUTH,,,,,,
TLS: Initial packet from [AF_INET]{SERVER IP ADDRESS}:443, sid=280f400d fe17ec8c
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, process restarting
MANAGEMENT: >STATE:1482303963,RECONNECTING,tls-error,,,,,
Restart pause, 5 second(s)
Socket Buffers: R=[65536->65536] S=[65536->65536]
MANAGEMENT: >STATE:1482303968,RESOLVE,,,,,,
Attempting to establish TCP connection with [AF_INET]{SERVER IP ADDRESS}:443 [nonblock]
MANAGEMENT: >STATE:1482303968,TCP_CONNECT,,,,,,
TCP connection established with [AF_INET]{SERVER IP ADDRESS}:443
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: [AF_INET]{SERVER IP ADDRESS}:443
MANAGEMENT: >STATE:1482303969,WAIT,,,,,,
MANAGEMENT: >STATE:1482303969,AUTH,,,,,,
TLS: Initial packet from [AF_INET]{SERVER IP ADDRESS}:443, sid=ecb6e4fa 5ea600ee
VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, process restarting
MANAGEMENT: >STATE:1482303969,RECONNECTING,tls-error,,,,,
Restart pause, 5 second(s)
Socket Buffers: R=[65536->65536] S=[65536->65536]
MANAGEMENT: >STATE:1482303974,RESOLVE,,,,,,
Attempting to establish TCP connection with [AF_INET]{SERVER IP ADDRESS}:443 [nonblock]
MANAGEMENT: >STATE:1482303974,TCP_CONNECT,,,,,,
SIGTERM[hard,init_instance] received, process exiting
MANAGEMENT: >STATE:1482303975,EXITING,init_instance,,,,,

Client Side 2:


OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jun 25 2016
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Enter Management Password:
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
MANAGEMENT: CMD 'username "Auth" "a-vasileiosg"'
MANAGEMENT: CMD 'password [...]'
Socket Buffers: R=[65536->65536] S=[65536->65536]
MANAGEMENT: >STATE:1482304343,RESOLVE,,,,,,
Attempting to establish TCP connection with [AF_INET]{SERVER IP ADDRESS}:443 [nonblock]
MANAGEMENT: >STATE:1482304343,TCP_CONNECT,,,,,,
TCP connection established with [AF_INET]{SERVER IP ADDRESS}:443
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: [AF_INET]{SERVER IP ADDRESS}:443
MANAGEMENT: >STATE:1482304344,WAIT,,,,,,
Connection reset, restarting [-1]
SIGUSR1[soft,connection-reset] received, process restarting
MANAGEMENT: >STATE:1482304345,RECONNECTING,connection-reset,,,,,
Restart pause, 5 second(s)
Socket Buffers: R=[65536->65536] S=[65536->65536]
MANAGEMENT: >STATE:1482304350,RESOLVE,,,,,,
Attempting to establish TCP connection with [AF_INET]{SERVER IP ADDRESS}:443 [nonblock]
MANAGEMENT: >STATE:1482304350,TCP_CONNECT,,,,,,
TCP connection established with [AF_INET]{SERVER IP ADDRESS}:443
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: [AF_INET]{SERVER IP ADDRESS}:443
MANAGEMENT: >STATE:1482304351,WAIT,,,,,,
SIGTERM[hard,] received, process exiting
MANAGEMENT: >STATE:1482304351,EXITING,SIGTERM,,,,,



This thread was automatically locked due to age.
  • +1

    So even though SSL VPN is running over port 443, clever firewalls can understand the application type and block it. Sophos is using OpenVPN for SSL VPN which may be blocked by clever Network and Security IT people.

     

    That was the issue and now it is solved.