Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 3912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot enable Cisco VPN Remote Access

lawler
I cannot seem to enable the Cisco VPN Client option on my UTM. When I go to Remote Access > Cisco VPN Client everything is grey-ed out because it's disabled. However, when I attempt to enable Cisco VPN remote access, an information box pops up with the following message:  "No users have Cisco VPN client remote access". I click ok and it remains disabled.

I'm running version 9.309-3 and nothing is showing up under the IPsec VPN logs. I restarted the UTM, but that didn't fix the problem.

I had this feature enabled in the past and it worked fine. About a month ago I disabled it and deleted the user accounts associated with it. I assume I wouldn't have to remove the users from the Cisco VPN User and Groups list before deleting them from the UTM.

I can enable and disable every other remote access category. I'm currently using IPsec with the Sophos IPsec Client and it's working fine.

Any suggestions to fix this?


This thread was automatically locked due to age.
  • 0
    It sounds like you've uncovered a bug.  If this is not a home-use license, please have your reseller open a ticket with Sophos Support.

    We can repair your config at the command line, but we first need to know what's in it.  To get the REF of the Cisco profile, as root:

    cc
    remote_access
    cisco$
    exit


    Highlight the REF, type "cc get_object " without the quotes, right-click to copy the REF to the command line and hit [enter].  Can you confirm that the field 'aaa' is empty?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hello! I have the same issue with my config.

    Here is the output : 

    sophos:/root # cc get_object REF_IpsRoaForTestToInter

    {

              'autoname' => 1,

              'class' => 'ipsec_connection',

              'data' => {

                          'aaa' => [],

                          'auto_pf_in' => '',

                          'auto_pf_out' => '',

                          'auto_pfrule' => 1,

                          'certificate' => 'REF_gzjPwSXtVfsa',

                          'comment' => '',

                          'interface' => 'REF_IntPppExternaWan',

                          'ip_assignment_pool' => 'REF_DefaultCiscoRWPool',

                          'iphone_connection_name' => 'Home (IPsec)',

                          'iphone_hostname' => '',

                          'iphone_ondemand_domains' => [],

                          'iphone_ondemand_enabled' => 0,

                          'iphone_ondemand_type' => 'OnDemandMatchDomainsOnRetry',

                          'iphone_status' => 1,

                          'name' => 'to Internal (Network)',

                          'networks' => [

                                          'REF_DefaultInternalNetwork'

                                        ],

                          'status' => 0

                        },

              'hidden' => 0,

              'lock' => '',

              'nodel' => '',

              'ref' => 'REF_IpsRoaForTestToInter',

              'type' => 'roadwarrior_cisco'

            }






    It sounds like you've uncovered a bug.  If this is not a home-use license, please have your reseller open a ticket with Sophos Support.

    We can repair your config at the command line, but we first need to know what's in it.  To get the REF of the Cisco profile, as root:

    cc
    remote_access
    cisco$
    exit


    Highlight the REF, type "cc get_object " without the quotes, right-click to copy the REF to the command line and hit [enter].  Can you confirm that the field 'aaa' is empty?

    Cheers - Bob
  • 0
    Hi, and welcome to the User BB!.

    Now that we've confirmed that the field is empty, let'e get the ref for your user name:

    cc get_object_by_name 'aaa' 'user' 'li442il'


    With that, we find the ref we needed: 'REF_AaaUseli442il'.  Now that we know the ref, we can add it to 'aaa' in the Cisco profile:

    cc change_object REF_IpsRoaForTestToInter aaa 'REF_AaaUseli442il'


    Let's check our work:

    cc get_object REF_IpsRoaForTestToInter


    Did that work for you?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Here is the output for the 1st command : 

    sophos:/root # cc get_object_by_name 'aaa' 'user' 'li442il'

    {

              'autoname' => 0,

              'class' => 'aaa',

              'data' => {

                          'acc_managed' => 0,

                          'allowed_networks' => [

                                                  'REF_NetworkAny'

                                                ],

                          'authentication' => 'local',

                          'backend_update' => 0,

                          'clearpass' => '',

                          'comment' => '',

                          'email_primary' => 'email@email.com',

                          'email_secondary' => [],

                          'enabled' => 1,

                          'lastauth_backend' => 'local',

                          'lastauth_facility' => 'portal',

                          'lastauth_time' => '1427576067',

                          'loc' => 'english',

                          'md4hash' => 'ba......,

                          'name' => 'li442il',

                          'network' => 'REF_NetAaaLi442UserNetwo',

                          'pop3_accounts' => [],

                          'ras_ip' => '0.0.0.0',

                          'ras_online' => 0,

                          'realname' => 'li442il',

                          'sender_blacklist' => [],

                          'sender_whitelist' => [],

                          'status' => 1,

                          'use_ras_ip' => 0,

                          'user_preferences' => '',

                          'x509_cert' => 'REF_IpsX502',

                          'x509_cert_gost' => ''

                        },

              'hidden' => 0,

              'lock' => '',

              'nodel' => '',

              'ref' => 'REF_AaaUseLi442il',

              'type' => 'user'

            }


    Here is the output for the 2nd : 

    sophos:/root # cc change_object REF_IpsRoaForTestToInter aaa 'REF_AaaUseli442il'

    0

    {

              'Aattrs' => [

                            'class',

                            'type',

                            'attr'

                          ],

              'Cattrs' => [

                            'goodclass'

                          ],

              'Oattrs' => [

                            'class',

                            'type'

                          ],

              'attr' => 'aaa',

              'attrs' => [],

              'badref' => 'REF_AaaUseli442il',

              'check' => 'input',

              'class' => 'ipsec_connection',

              'fatal' => 0,

              'format' => 'The %_O object needs %_C objects for the %_A attribute.',

              'goodclass' => 'aaa',

              'msgtype' => 'OBJECT_OBJECT_BADREF',

              'name' => 'The Cisco VPN client connection object needs user and group objects for the allowed user and group list attribute.',

              'never_hide' => 0,

              'ref' => 'REF_IpsRoaForTestToInter',

              'type' => 'roadwarrior_cisco'

            }

    {

              'attr' => 'aaa',

              'attrs' => [

                           'number',

                           'remove'

                         ],

              'check' => 'input',

              'class' => 'ipsec_connection',

              'fatal' => undef,

              'format' => 'Removing %d invalid element(s) \'%s\' from the list.',

              'msgtype' => 'DATATYPE_ARRAY_ELEMENT',

              'name' => 'Removing 1 invalid element(s) \'REF_AaaUseli442il\' from the list.',

              'never_fatal' => 1,

              'never_hide' => 0,

              'number' => 1,

              'ref' => 'REF_IpsRoaForTestToInter',

              'remove' => 'REF_AaaUseli442il',

              'type' => 'roadwarrior_cisco'

            }

    ¸

    3rd command : 

    sophos:/root # cc get_object REF_IpsRoaForTestToInter

    {

              'autoname' => 1,

              'class' => 'ipsec_connection',

              'data' => {

                          'aaa' => [],

                          'auto_pf_in' => '',

                          'auto_pf_out' => '',

                          'auto_pfrule' => 1,

                          'certificate' => 'REF_gzjPwSXtVfsa',

                          'comment' => '',

                          'interface' => 'REF_IntPppExternaWan',

                          'ip_assignment_pool' => 'REF_DefaultCiscoRWPool',

                          'iphone_connection_name' => 'Home (IPsec)',

                          'iphone_hostname' => '',

                          'iphone_ondemand_domains' => [],

                          'iphone_ondemand_enabled' => 0,

                          'iphone_ondemand_type' => 'OnDemandMatchDomainsOnRetry',

                          'iphone_status' => 1,

                          'name' => 'to Internal (Network)',

                          'networks' => [

                                          'REF_DefaultInternalNetwork'

                                        ],

                          'status' => 0

                        },

              'hidden' => 0,

              'lock' => '',

              'nodel' => '',

              'ref' => 'REF_IpsRoaForTestToInter',

              'type' => 'roadwarrior_cisco'

            }


    It's not working, I have the same error message :

    "No users have Cisco VPN client remote access"
  • 0
    That works fine here.  Was Cisco Remote Access activated prior to this and did you then delete the user object(s) in 'Users and Groups'?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    The Cisco client was never turn on.

    First time I try to use it.
  • 0
    What happens if you try

    cc change_object REF_IpsRoaForTestToInter status 1


    ?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Here is the result : 

    sophos:/root # cc change_object REF_IpsRoaForTestToInter status 1

    0

    {

              'attr' => 'aaa',

              'attrs' => [],

              'class' => 'ipsec_connection',

              'format' => 'No users have Cisco VPN client remote access.

    Continuing will disable Cisco VPN client remote access.',

              'msgtype' => 'IPSEC_RW_CISCO_USER',

              'name' => 'No users have Cisco VPN client remote access.

    Continuing will disable Cisco VPN client remote access.',

              'never_hide' => 0,

              'type' => 'roadwarrior_cisco'

            }


    Same error when trying to enable the cisco VPN client
  • 0
    I too have just discovered this today.

    No users / groups in the field.

    I've tried all these commands, and on the 2nd / 3rd commands I just get 0 returned.

    Is this a new bug with the latest release ?
Unfiltered HTML