Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 42 replies
  • Answers 3 answers
  • Subscribers 15 subscribers
  • Views 62175 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN issue after UTM upgrade to 9.404-5

SimonOrlando

Hello,

after the UTM upgrade from 9.403-4 to 9.404-5 the SSL VPN connection is no longer working. I changed nothing on the configuration.

Now I get following error message:

...

2016:06:28-12:24:27 firewall openvpn[9229]: SENT CONTROL [firewall]: 'PUSH_REQUEST' (status=1)

2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT WRITE [56] to [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=5 DATA len=42
2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [22] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_ACK_V1 kid=0 [ 5 ]
2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [466] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=452
2016:06:28-12:24:27 firewall openvpn[9229]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 192.168.55.1,route 192.168.54.0 255.255.255.0,route 192.168.55.0 255.255.255.0,setenv-safe remote_network_1 192.168.54.0/24,setenv-safe remote_network_2 192.168.55.0/24,setenv-safe local_network_1 192.168.5.0/24,setenv-safe local_network_2 192.168.111.0/24,setenv-safe local_network_3 192.168.250.0/24,setenv-safe local_network_4 192.168.110.0/24,ifconfig 192.168.54.6 192.168.54.5'
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: --ifconfig/up options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route-related options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: environment modified
2016:06:28-12:24:27 firewall openvpn[9229]: ROUTE_GATEWAY 10.10.10.1/255.255.255.0 IFACE=eth0.10 HWADDR=00:15:5d:6f:14:09
2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP device tun1 opened
2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP TX queue length set to 100
2016:06:28-12:24:27 firewall openvpn[9229]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip link set dev tun1 up mtu 1500
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip addr add dev tun1 192.168.54.6/11 broadcast 255.255.255.254
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip route change dev tun1 192.168.54.4/11 proto 41 src 192.168.54.6
2016:06:28-12:24:27 firewall openvpn[9229]: MANAGEMENT: Client disconnected
2016:06:28-12:24:27 firewall openvpn[9229]: Linux ip route change failed: external program exited with error status: 2
2016:06:28-12:24:27 firewall openvpn[9229]: Exiting due to fatal error
2016:06:28-12:24:35 firewall openvpn[6482]: MANAGEMENT: Client disconnected

Because tun1 is not available I tryed to execute this command for a test on another interface and then I got following error message:

firewall:/var/sec/chroot-openvpn/etc/openvpn/conf.d # /bin/ip route change dev tun0 192.168.54.4/11 proto 41 src 192.168.54.6
RTNETLINK answers: Invalid argument

I hope you can help me!

Many Thanks!

Regards

Simon



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to netsafe_rkr

    Hi All,

    This is fixed in the next firmware release v9.4 MR4 (9.407).

    Thank you for your patience. 

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi Sachin

    Thanks for your answer. And when will it be published?

    Regards Roman

    UTM Certified Architect

  • 0 in reply to netsafe_rkr

    Released today:


    Up2Date 9.407003 package description:

    Remarks:
    System will be rebooted
    Configuration will be upgraded
    Connected REDs will perform firmware upgrade
    Connected Wifi APs will perform firmware upgrade

    News:
    Maintenance Release

    Bugfixes:
    Fix [NUTM-4079]: [AWS] DNS Resolver too slow for ELBs
    Fix [NUTM-3885]: [Access & Identity] [RED] RED50 reconnecting every 30 minutes
    Fix [NUTM-4502]: [Access & Identity] [RED] reactivating RED management causes problem with provisioning server
    Fix [NUTM-4749]: [Access & Identity] [RED] interface default routes are not written
    Fix [NUTM-4832]: [Access & Identity] 9.404 SSL site-to-site VPN client is not compatibal with older UTM versions
    Fix [NUTM-4870]: [Access & Identity] STAS: Packetfilter rule is written too late when enabling the feature
    Fix [NUTM-4875]: [Access & Identity] 9.404 SSL site-to-site VPN doesn't work with static IP setting
    Fix [NUTM-4881]: [Access & Identity] IPsec remote access xauth fails with "could not find cache entry"
    Fix [NUTM-4918]: [Access & Identity] HTML5 VPN: Portuguese (Brazil) keyboard doesn't appear to support special characters
    Fix [NUTM-4974]: [Access & Identity] UTM unable to connect to support tunnel
    Fix [NUTM-4981]: [Access & Identity] [RED] RED management can't be reactivated after a Backup / Restore
    Fix [NUTM-4987]: [Access & Identity] 9.404 SSL site-to-site VPN client compatibility to older openvpn versions
    Fix [NUTM-5004]: [Access & Identity] [RED] misleading peer status send
    Fix [NUTM-4941]: [Basesystem] NTP Vulnerability
    Fix [NUTM-5132]: [Basesystem] Disable weak ciphers for webadmin
    Fix [NUTM-3180]: [Confd] IP Address change was not applied properly to the interface
    Fix [NUTM-4346]: [Documentation] Enhance documentation regarding unencrypted SSO AD password in printable configuration
    Fix [NUTM-3225]: [Email] JSON error when accessing Data Loss Prevention Tab and SMTP Profiles
    Fix [NUTM-3483]: [Email] Missing/incomplete logging for sandstorm in SMTP proxy
    Fix [NUTM-3505]: [Email] MIME type blacklist can be bypassed if an another file is whitelisted
    Fix [NUTM-3666]: [Email] Mail log in user portal is case-sensitive
    Fix [NUTM-3667]: [Email] RAR and XLSX files causing Scanner timeout or deadlock - moving to error queue
    Fix [NUTM-4331]: [Email] Implement more error handling in QMGR for error cases
    Fix [NUTM-4874]: [Email] SMTP proxy can't be disabled when upgrading from 9.31x
    Fix [NUTM-5228]: [Email] change LogLevel in httpd-spx-reply.conf to warn
    Fix [NUTM-5355]: [Email] Increase AV Scanner timeout to 60 seconds
    Fix [NUTM-2768]: [HA/Cluster] 36307: Postgres can't be started on Slave / rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.4]
    Fix [NUTM-4894]: [Logging] Fallback log on slave node is filling up the partition
    Fix [NUTM-1954]: [Network] 35457: Amazon vpc gets imported but quagga doesnt start
    Fix [NUTM-3092]: [Network] snmp does not work: because 10G modules query of link status timeout if no GBIC is plugged
    Fix [NUTM-3115]: [Network] AFC misclassifying HTTPS connections as 'OpenVPN'
    Fix [NUTM-3157]: [Network] [INFO-152] Network Monitor not running - restarted
    Fix [NUTM-3229]: [Network] IPv6 over transparent proxy
    Fix [NUTM-3247]: [Network] Spam Filter cannot query database servers from Slave if a block all AFC rule exists
    Fix [NUTM-4037]: [Network] Update kernel to 3.12.58
    Fix [NUTM-4992]: [Network] Unitymedia / KabelBW customer getting always the MTU 576
    Fix [NUTM-4885]: [Reporting] SSL VPN reporting shows no user with a "#" sign in the username
    Fix [NUTM-4593]: [Sandboxd] Constant error when inserting record into sandstorm transactionlog table
    Fix [NUTM-5128]: [Virtualization] Incorrect interface order on HyperV
    Fix [NUTM-4868]: [WAF] WAF service restart issue (segmentation fault in mod_avscan)
    Fix [NUTM-5266]: [WAF] Form auth default template login not possible with chrome and FF
    Fix [NUTM-4916]: [WebAdmin] User portal: add Windows 10 to list of supported OSs for SSL VPN
    Fix [NUTM-2447]: [Web] 36231: HTTP proxy policy matching with backend groups is sometimes not working
    Fix [NUTM-4525]: [Web] Handle ha zeroconf for sandbox_reportd
    Fix [NUTM-4806]: [Web] postgres[xxxxx]: [x-x] STATEMENT: INSERT INTO TransactionLog
    Fix [NUTM-4877]: [Web] segfault after installing ep-httpproxy-9.40-319.g32fa996.i686.rpm
    Fix [NUTM-4127]: [WiFi] MAC filter whitelist does not work after editing the MAC Address List
    Fix [NUTM-4451]: [WiFi] Mesh AP doesn't connect after deleting the AP from webadmin
    Fix [NUTM-4913]: [WiFi] Hotspot voucher QR code pointing to IP address instead of configured host name
    Fix [NUTM-5032]: [WiFi] 'STA WPA Failure' messages not appearing in wireless log

    RPM packages contained:
    firmwares-bamboo-9400-0.239798409.gadeedea.rb1.i586.rpm
    freerdp-1.0.2-5.g9ab7846.rb6.i686.rpm
    modavscan-9.40-88.g4be0a1f.rb3.i686.rpm
    perf-tools-3.12.58-0.238097715.g942ca6f.rb5.i686.rpm
    red-firmware2-5033-0.237486050.g1d6fa2f.rb1.noarch.rpm
    red15-firmware-5033-0.237486204.g88604a9.rb4.noarch.rpm
    uma-9.40-9.g4114428.rb3.i686.rpm
    ep-reporting-9.40-28.g366bbbd.rb8.i686.rpm
    ep-reporting-c-9.40-29.gdbdd0e5.rb7.i686.rpm
    ep-reporting-resources-9.40-28.g366bbbd.rb8.i686.rpm
    ep-aua-9.40-29.g044c154.rb4.i686.rpm
    ep-branding-ASG-afg-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-branding-ASG-ang-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-branding-ASG-asg-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-branding-ASG-atg-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-branding-ASG-aug-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-confd-9.40-758.g4ba8297.i686.rpm
    ep-confd-tools-9.40-699.g3e73a8d.rb11.i686.rpm
    ep-endpoint-0.5-0.238842559.g74c0041.rb3.i686.rpm
    ep-ha-aws-9.40-193.gbbbdb1f.rb1.noarch.rpm
    ep-libs-9.40-18.g98311c6.rb4.i686.rpm
    ep-mdw-9.40-473.gbb2acca.rb1.i686.rpm
    ep-migration-agent-9.40-0.238246977.g97d8100.rb2.i686.rpm
    ep-repctl-0.1-0.236091535.g244907c.rb4.i686.rpm
    ep-screenmgr-9.40-1.g05ac056.rb11.i686.rpm
    ep-utm-watchdog-9.40-9.gb87dc68.rb5.i686.rpm
    ep-webadmin-9.40-649.gcf9df68.rb15.i686.rpm
    ep-webadmin-contentmanager-9.40-48.g2579cc5.rb7.i686.rpm
    ep-chroot-dhcpc-9.40-7.g5875cb6.rb4.noarch.rpm
    ep-chroot-httpd-9.40-13.g05599fc.rb4.noarch.rpm
    ep-chroot-smtp-9.40-108.g7e71836.rb1.i686.rpm
    chroot-ntp-4.2.8p8-0.g2398560.rb7.i686.rpm
    chroot-openvpn-9.40-26.g733afa5.rb6.i686.rpm
    chroot-reverseproxy-2.4.10-242.g832ffb5.rb3.i686.rpm
    ep-httpproxy-9.40-351.gd42c00a.rb8.i686.rpm
    kernel-smp-3.12.58-0.238097715.g942ca6f.rb6.i686.rpm
    kernel-smp64-3.12.58-0.238097715.g942ca6f.rb6.x86_64.rpm
    ep-release-9.407-3.noarch.rpm

  • 0 in reply to sachingurung
    Heureka, it works. updated from 9.4034 9.407 SSL Site to Site 9.407 static Tunnel IP works 9.407 SSL Site to Site 9.406 static Tunnel IP doesn´t work -> upgrade
  • 0 in reply to sachingurung

    CONFIRMED

    Upgraded to version 9.407-3 and the Site2Site SSL VPN works again!

    Very happy with this, but it took way too long to fix, imho.

Unfiltered HTML