Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 42 replies
  • Answers 3 answers
  • Subscribers 15 subscribers
  • Views 62136 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN issue after UTM upgrade to 9.404-5

SimonOrlando

Hello,

after the UTM upgrade from 9.403-4 to 9.404-5 the SSL VPN connection is no longer working. I changed nothing on the configuration.

Now I get following error message:

...

2016:06:28-12:24:27 firewall openvpn[9229]: SENT CONTROL [firewall]: 'PUSH_REQUEST' (status=1)

2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT WRITE [56] to [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=5 DATA len=42
2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [22] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_ACK_V1 kid=0 [ 5 ]
2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [466] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=452
2016:06:28-12:24:27 firewall openvpn[9229]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 192.168.55.1,route 192.168.54.0 255.255.255.0,route 192.168.55.0 255.255.255.0,setenv-safe remote_network_1 192.168.54.0/24,setenv-safe remote_network_2 192.168.55.0/24,setenv-safe local_network_1 192.168.5.0/24,setenv-safe local_network_2 192.168.111.0/24,setenv-safe local_network_3 192.168.250.0/24,setenv-safe local_network_4 192.168.110.0/24,ifconfig 192.168.54.6 192.168.54.5'
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: --ifconfig/up options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route-related options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: environment modified
2016:06:28-12:24:27 firewall openvpn[9229]: ROUTE_GATEWAY 10.10.10.1/255.255.255.0 IFACE=eth0.10 HWADDR=00:15:5d:6f:14:09
2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP device tun1 opened
2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP TX queue length set to 100
2016:06:28-12:24:27 firewall openvpn[9229]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip link set dev tun1 up mtu 1500
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip addr add dev tun1 192.168.54.6/11 broadcast 255.255.255.254
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip route change dev tun1 192.168.54.4/11 proto 41 src 192.168.54.6
2016:06:28-12:24:27 firewall openvpn[9229]: MANAGEMENT: Client disconnected
2016:06:28-12:24:27 firewall openvpn[9229]: Linux ip route change failed: external program exited with error status: 2
2016:06:28-12:24:27 firewall openvpn[9229]: Exiting due to fatal error
2016:06:28-12:24:35 firewall openvpn[6482]: MANAGEMENT: Client disconnected

Because tun1 is not available I tryed to execute this command for a test on another interface and then I got following error message:

firewall:/var/sec/chroot-openvpn/etc/openvpn/conf.d # /bin/ip route change dev tun0 192.168.54.4/11 proto 41 src 192.168.54.6
RTNETLINK answers: Invalid argument

I hope you can help me!

Many Thanks!

Regards

Simon



This thread was automatically locked due to age.
Parents
  • 0

    Hi All,

    the engineering team is working on a fix for this issue. Unfortunately the fix was not ready in time to make it into the 9.405 maintenance release, the issue will be resolved with the next maintenance update.

    Jan

  • 0 in reply to JanWeber

    Hi Jan

    When will the fix be published? We are waiting a long time for this.

    Regards Roman

    UTM Certified Architect

  • 0 in reply to netsafe_rkr

    Hi All,

    This is fixed in the next firmware release v9.4 MR4 (9.407).

    Thank you for your patience. 

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi Sachin

    Thanks for your answer. And when will it be published?

    Regards Roman

    UTM Certified Architect

  • 0 in reply to netsafe_rkr

    Released today:


    Up2Date 9.407003 package description:

    Remarks:
    System will be rebooted
    Configuration will be upgraded
    Connected REDs will perform firmware upgrade
    Connected Wifi APs will perform firmware upgrade

    News:
    Maintenance Release

    Bugfixes:
    Fix [NUTM-4079]: [AWS] DNS Resolver too slow for ELBs
    Fix [NUTM-3885]: [Access & Identity] [RED] RED50 reconnecting every 30 minutes
    Fix [NUTM-4502]: [Access & Identity] [RED] reactivating RED management causes problem with provisioning server
    Fix [NUTM-4749]: [Access & Identity] [RED] interface default routes are not written
    Fix [NUTM-4832]: [Access & Identity] 9.404 SSL site-to-site VPN client is not compatibal with older UTM versions
    Fix [NUTM-4870]: [Access & Identity] STAS: Packetfilter rule is written too late when enabling the feature
    Fix [NUTM-4875]: [Access & Identity] 9.404 SSL site-to-site VPN doesn't work with static IP setting
    Fix [NUTM-4881]: [Access & Identity] IPsec remote access xauth fails with "could not find cache entry"
    Fix [NUTM-4918]: [Access & Identity] HTML5 VPN: Portuguese (Brazil) keyboard doesn't appear to support special characters
    Fix [NUTM-4974]: [Access & Identity] UTM unable to connect to support tunnel
    Fix [NUTM-4981]: [Access & Identity] [RED] RED management can't be reactivated after a Backup / Restore
    Fix [NUTM-4987]: [Access & Identity] 9.404 SSL site-to-site VPN client compatibility to older openvpn versions
    Fix [NUTM-5004]: [Access & Identity] [RED] misleading peer status send
    Fix [NUTM-4941]: [Basesystem] NTP Vulnerability
    Fix [NUTM-5132]: [Basesystem] Disable weak ciphers for webadmin
    Fix [NUTM-3180]: [Confd] IP Address change was not applied properly to the interface
    Fix [NUTM-4346]: [Documentation] Enhance documentation regarding unencrypted SSO AD password in printable configuration
    Fix [NUTM-3225]: [Email] JSON error when accessing Data Loss Prevention Tab and SMTP Profiles
    Fix [NUTM-3483]: [Email] Missing/incomplete logging for sandstorm in SMTP proxy
    Fix [NUTM-3505]: [Email] MIME type blacklist can be bypassed if an another file is whitelisted
    Fix [NUTM-3666]: [Email] Mail log in user portal is case-sensitive
    Fix [NUTM-3667]: [Email] RAR and XLSX files causing Scanner timeout or deadlock - moving to error queue
    Fix [NUTM-4331]: [Email] Implement more error handling in QMGR for error cases
    Fix [NUTM-4874]: [Email] SMTP proxy can't be disabled when upgrading from 9.31x
    Fix [NUTM-5228]: [Email] change LogLevel in httpd-spx-reply.conf to warn
    Fix [NUTM-5355]: [Email] Increase AV Scanner timeout to 60 seconds
    Fix [NUTM-2768]: [HA/Cluster] 36307: Postgres can't be started on Slave / rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.4]
    Fix [NUTM-4894]: [Logging] Fallback log on slave node is filling up the partition
    Fix [NUTM-1954]: [Network] 35457: Amazon vpc gets imported but quagga doesnt start
    Fix [NUTM-3092]: [Network] snmp does not work: because 10G modules query of link status timeout if no GBIC is plugged
    Fix [NUTM-3115]: [Network] AFC misclassifying HTTPS connections as 'OpenVPN'
    Fix [NUTM-3157]: [Network] [INFO-152] Network Monitor not running - restarted
    Fix [NUTM-3229]: [Network] IPv6 over transparent proxy
    Fix [NUTM-3247]: [Network] Spam Filter cannot query database servers from Slave if a block all AFC rule exists
    Fix [NUTM-4037]: [Network] Update kernel to 3.12.58
    Fix [NUTM-4992]: [Network] Unitymedia / KabelBW customer getting always the MTU 576
    Fix [NUTM-4885]: [Reporting] SSL VPN reporting shows no user with a "#" sign in the username
    Fix [NUTM-4593]: [Sandboxd] Constant error when inserting record into sandstorm transactionlog table
    Fix [NUTM-5128]: [Virtualization] Incorrect interface order on HyperV
    Fix [NUTM-4868]: [WAF] WAF service restart issue (segmentation fault in mod_avscan)
    Fix [NUTM-5266]: [WAF] Form auth default template login not possible with chrome and FF
    Fix [NUTM-4916]: [WebAdmin] User portal: add Windows 10 to list of supported OSs for SSL VPN
    Fix [NUTM-2447]: [Web] 36231: HTTP proxy policy matching with backend groups is sometimes not working
    Fix [NUTM-4525]: [Web] Handle ha zeroconf for sandbox_reportd
    Fix [NUTM-4806]: [Web] postgres[xxxxx]: [x-x] STATEMENT: INSERT INTO TransactionLog
    Fix [NUTM-4877]: [Web] segfault after installing ep-httpproxy-9.40-319.g32fa996.i686.rpm
    Fix [NUTM-4127]: [WiFi] MAC filter whitelist does not work after editing the MAC Address List
    Fix [NUTM-4451]: [WiFi] Mesh AP doesn't connect after deleting the AP from webadmin
    Fix [NUTM-4913]: [WiFi] Hotspot voucher QR code pointing to IP address instead of configured host name
    Fix [NUTM-5032]: [WiFi] 'STA WPA Failure' messages not appearing in wireless log

    RPM packages contained:
    firmwares-bamboo-9400-0.239798409.gadeedea.rb1.i586.rpm
    freerdp-1.0.2-5.g9ab7846.rb6.i686.rpm
    modavscan-9.40-88.g4be0a1f.rb3.i686.rpm
    perf-tools-3.12.58-0.238097715.g942ca6f.rb5.i686.rpm
    red-firmware2-5033-0.237486050.g1d6fa2f.rb1.noarch.rpm
    red15-firmware-5033-0.237486204.g88604a9.rb4.noarch.rpm
    uma-9.40-9.g4114428.rb3.i686.rpm
    ep-reporting-9.40-28.g366bbbd.rb8.i686.rpm
    ep-reporting-c-9.40-29.gdbdd0e5.rb7.i686.rpm
    ep-reporting-resources-9.40-28.g366bbbd.rb8.i686.rpm
    ep-aua-9.40-29.g044c154.rb4.i686.rpm
    ep-branding-ASG-afg-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-branding-ASG-ang-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-branding-ASG-asg-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-branding-ASG-atg-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-branding-ASG-aug-9.40-45.ga7a71f4.rb4.noarch.rpm
    ep-confd-9.40-758.g4ba8297.i686.rpm
    ep-confd-tools-9.40-699.g3e73a8d.rb11.i686.rpm
    ep-endpoint-0.5-0.238842559.g74c0041.rb3.i686.rpm
    ep-ha-aws-9.40-193.gbbbdb1f.rb1.noarch.rpm
    ep-libs-9.40-18.g98311c6.rb4.i686.rpm
    ep-mdw-9.40-473.gbb2acca.rb1.i686.rpm
    ep-migration-agent-9.40-0.238246977.g97d8100.rb2.i686.rpm
    ep-repctl-0.1-0.236091535.g244907c.rb4.i686.rpm
    ep-screenmgr-9.40-1.g05ac056.rb11.i686.rpm
    ep-utm-watchdog-9.40-9.gb87dc68.rb5.i686.rpm
    ep-webadmin-9.40-649.gcf9df68.rb15.i686.rpm
    ep-webadmin-contentmanager-9.40-48.g2579cc5.rb7.i686.rpm
    ep-chroot-dhcpc-9.40-7.g5875cb6.rb4.noarch.rpm
    ep-chroot-httpd-9.40-13.g05599fc.rb4.noarch.rpm
    ep-chroot-smtp-9.40-108.g7e71836.rb1.i686.rpm
    chroot-ntp-4.2.8p8-0.g2398560.rb7.i686.rpm
    chroot-openvpn-9.40-26.g733afa5.rb6.i686.rpm
    chroot-reverseproxy-2.4.10-242.g832ffb5.rb3.i686.rpm
    ep-httpproxy-9.40-351.gd42c00a.rb8.i686.rpm
    kernel-smp-3.12.58-0.238097715.g942ca6f.rb6.i686.rpm
    kernel-smp64-3.12.58-0.238097715.g942ca6f.rb6.x86_64.rpm
    ep-release-9.407-3.noarch.rpm

  • 0 in reply to sachingurung
    Heureka, it works. updated from 9.4034 9.407 SSL Site to Site 9.407 static Tunnel IP works 9.407 SSL Site to Site 9.406 static Tunnel IP doesn´t work -> upgrade
  • 0 in reply to sachingurung

    CONFIRMED

    Upgraded to version 9.407-3 and the Site2Site SSL VPN works again!

    Very happy with this, but it took way too long to fix, imho.

Reply Children
No Data
Unfiltered HTML