SSL VPN issue after UTM upgrade to 9.404-5

Question

Hello, 
 after the UTM upgrade from 9.403-4 to 9.404-5 the SSL VPN connection is no longer working. I changed nothing on the configuration. 
 Now I get following error message: 
 ... 
 2016:06:28-12:24:27 firewall openvpn[9229]: SENT CONTROL [firewall]: 'PUSH_REQUEST' (status=1) 
 2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT WRITE [56] to [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=5 DATA len=42 
 2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [22] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_ACK_V1 kid=0 [ 5 ] 
 2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [466] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=452 
 2016:06:28-12:24:27 firewall openvpn[9229]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 192.168.55.1,route 192.168.54.0 255.255.255.0,route 192.168.55.0 255.255.255.0,setenv-safe remote_network_1 192.168.54.0/24,setenv-safe remote_network_2 192.168.55.0/24,setenv-safe local_network_1 192.168.5.0/24,setenv-safe local_network_2 192.168.111.0/24,setenv-safe local_network_3 192.168.250.0/24,setenv-safe local_network_4 192.168.110.0/24,ifconfig 192.168.54.6 192.168.54.5' 
 2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: --ifconfig/up options modified 
 2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route options modified 
 2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route-related options modified 
 2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: environment modified 
 2016:06:28-12:24:27 firewall openvpn[9229]: ROUTE_GATEWAY 10.10.10.1/255.255.255.0 IFACE=eth0.10 HWADDR=00:15:5d:6f:14:09 
 2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP device tun1 opened 
 2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP TX queue length set to 100 
 2016:06:28-12:24:27 firewall openvpn[9229]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 
 2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip link set dev tun1 up mtu 1500 
 2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip addr add dev tun1 192.168.54.6/11 broadcast 255.255.255.254 
 2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip route change dev tun1 192.168.54.4/11 proto 41 src 192.168.54.6 
 2016:06:28-12:24:27 firewall openvpn[9229]: MANAGEMENT: Client disconnected 
 2016:06:28-12:24:27 firewall openvpn[9229]: Linux ip route change failed: external program exited with error status: 2 
 2016:06:28-12:24:27 firewall openvpn[9229]: Exiting due to fatal error 
 2016:06:28-12:24:35 firewall openvpn[6482]: MANAGEMENT: Client disconnected 
 
 Because tun1 is not available I tryed to execute this command for a test on another interface and then I got following error message: 
 firewall:/var/sec/chroot-openvpn/etc/openvpn/conf.d # /bin/ip route change dev tun0 192.168.54.4/11 proto 41 src 192.168.54.6 RTNETLINK answers: Invalid argument 
 
 I hope you can help me! 
 Many Thanks! 
 Regards 
 Simon

mouhaddiryassine · Answer

Hello, 
 I had the same issue this last 15 days. 
 After many test, it's worked for me. 
 I think that this settings are important for SSL VPN to work. 
 In the both Server and Client UTM the hostname must match the public ip address. (Check by Whatismyipaddress site to see wich ip you use). 
 Don't use the static virtual peer ip address in the configuration at the Server Side. 
 Check the nat setting in the gateway router or any other materiel that the firewall communicate through it. 
 I hope that you solve your problem.

BjornBrun · Answer

Above answer is not working. 
 
 Same thing here. Problem has existed since upgrading from 9.355-1 to 9.405-5 
 We fixed it by changing the openvpn binary back to 9.355-1 - this seems to work! But is a bad solution, because it breaks the idea of having an appliance. This might also void warranty - but when dealing with critical VPN connections being broken what do you do.... right? 
 Premium 24/7 support - no solution by Sophos - They saw "wait for the next update" but no date is given. So the answer from Sophos seems to be "Wait for the next update" 
 For reference, this is where it breaks on ours: 
 The problem seems to be when the ip route script is called. The route it adds is a /10 that seems wrong to us. I've debugged what happens and this is the moment openvpn crashes with an error but Sophos seems to be unable to find the bug. A change in arguments in openvpn maybe? 
 Version 9.405-5 (broken) 
 2016:09:01-14:16:09 redacted openvpn[26247]: /bin/ip link set dev tun0 up mtu 1500 2016:09:01-14:16:09 redacted openvpn[26247]: /bin/ip addr add dev tun0 local 10.242.2.6 peer 10.242.2.5 2016:09:01-14:16:09 redacted openvpn[26247]: /bin/ip route change dev tun0 10.242.2.4/10 proto 41 src 10.242.2.6 <<< error here!!! 
 Version 9.355-1 Before upgrade (working) (2 weeks ago). 
 2016:08:11-06:02:43 redacted openvpn[28719]: /bin/ip link set dev tun0 up mtu 1500 2016:08:11-06:02:43 redacted openvpn[28719]: /bin/ip addr add dev tun0 local 10.242.2.6 peer 10.242.2.5 2016:08:11-06:02:43 redacted openvpn[28719]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_UP status=0 2016:08:11-06:02:43 redacted openvpn[28719]: /bin/ip route add xxx.xx.0.0/16 proto 41 dev tun0 via 10.242.2.5 
 
 Dear Sophos: Get your stuff together.

sachingurung · Answer

Hi All, 
 This is fixed in the next firmware release v9.4 MR4 (9.407). 
 Thank you for your patience.