Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 42 replies
  • Answers 3 answers
  • Subscribers 15 subscribers
  • Views 62148 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN issue after UTM upgrade to 9.404-5

SimonOrlando

Hello,

after the UTM upgrade from 9.403-4 to 9.404-5 the SSL VPN connection is no longer working. I changed nothing on the configuration.

Now I get following error message:

...

2016:06:28-12:24:27 firewall openvpn[9229]: SENT CONTROL [firewall]: 'PUSH_REQUEST' (status=1)

2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT WRITE [56] to [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=5 DATA len=42
2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [22] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_ACK_V1 kid=0 [ 5 ]
2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [466] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=452
2016:06:28-12:24:27 firewall openvpn[9229]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 192.168.55.1,route 192.168.54.0 255.255.255.0,route 192.168.55.0 255.255.255.0,setenv-safe remote_network_1 192.168.54.0/24,setenv-safe remote_network_2 192.168.55.0/24,setenv-safe local_network_1 192.168.5.0/24,setenv-safe local_network_2 192.168.111.0/24,setenv-safe local_network_3 192.168.250.0/24,setenv-safe local_network_4 192.168.110.0/24,ifconfig 192.168.54.6 192.168.54.5'
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: --ifconfig/up options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route-related options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: environment modified
2016:06:28-12:24:27 firewall openvpn[9229]: ROUTE_GATEWAY 10.10.10.1/255.255.255.0 IFACE=eth0.10 HWADDR=00:15:5d:6f:14:09
2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP device tun1 opened
2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP TX queue length set to 100
2016:06:28-12:24:27 firewall openvpn[9229]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip link set dev tun1 up mtu 1500
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip addr add dev tun1 192.168.54.6/11 broadcast 255.255.255.254
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip route change dev tun1 192.168.54.4/11 proto 41 src 192.168.54.6
2016:06:28-12:24:27 firewall openvpn[9229]: MANAGEMENT: Client disconnected
2016:06:28-12:24:27 firewall openvpn[9229]: Linux ip route change failed: external program exited with error status: 2
2016:06:28-12:24:27 firewall openvpn[9229]: Exiting due to fatal error
2016:06:28-12:24:35 firewall openvpn[6482]: MANAGEMENT: Client disconnected

Because tun1 is not available I tryed to execute this command for a test on another interface and then I got following error message:

firewall:/var/sec/chroot-openvpn/etc/openvpn/conf.d # /bin/ip route change dev tun0 192.168.54.4/11 proto 41 src 192.168.54.6
RTNETLINK answers: Invalid argument

I hope you can help me!

Many Thanks!

Regards

Simon



This thread was automatically locked due to age.
  • 0 in reply to BAlfson

    I'm also having this exact issue. Hoping for a hotfix soon!

  • 0 in reply to MarceloAmoglia

    016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 MULTI ERROR: primary virtual IP for REF_LtGyVxezOr/189.114.142.152:32992 (192.168.50.1) violates tunnel network/netmask constraint (192.168.10.0/255.255.255.0)

    2016:06:29-08:05:40 astaro openvpn[6784]: MANAGEMENT: Client disconnected

    So, the UTM is the server?  That's the closest I've seen here to a successful connection.  Can you show us a log where this worked before?  Preferably from both sides, but just the UTM side  would be interesting.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to MichaelStratton

    Guys, neither Sophos nor Astaro has marketed the SSL VPN as something that can be used with OpenVPN.  The same is true of the OpenVPN-based RED.  Unless a very large customer complains about this, or the fix is easy and extremely obvious, my guess is that it will be a long time before Sophos invests time in figuring this out.

    If you need the connection with a different OpenVPN variant, my guess is that your best bet at this point in time is to re-install with a 9.4 ISO and stop upgrading at 9.403.  I suspect that 9.356 had the same fixes as 9.404 - if someone tries to fix this by re-installing from a 9.35 ISO, please let us know if that worked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Nice try

    Sophos SSL VPN is not only based on OpenVPN, no IT IS OpenVPN. Sophos takes OpenVPN packages to their system. Till now connections to OpenVPN systems works correct. 

    Here the rpm for the sophos ssl vpn that cause the problems with the latest release

    client-openvpn-9.40-11.g434309f.rb2.noarch.rpm
    chroot-openvpn-9.40-25.g2316a39.rb4.i686.rpm

    Now Sophos has changed something and broke this connections. This is still a Sophos Problem.

    2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip route change dev tun1 192.168.54.4/11 proto 41 src 192.168.54.6
    2016:06:28-12:24:27 firewall openvpn[9229]: MANAGEMENT: Client disconnected
    2016:06:28-12:24:27 firewall openvpn[9229]: Linux ip route change failed: external program exited with error status: 2

    It is a simple and correct route change after the connection established. So a standard action no longer works correct.

  • 0 in reply to BAlfson

    Hello Bob,

    I've reinstalled with a ISO to Version 9.355-1 and ist works.

    Greetings

  • 0

    Hi folks,

    I've got news from support (german).

    "das ist ein bekannter Fehler in der 9.404. Daher am besten IPSec Site2Site benutzen oder warten bis die 9.405 raus ist, damit sollte es behoben sein."

    wich means we should wait for 9.405.

    Greetings.

  • 0 in reply to LB-Muenchen

    Hi Christian,

    Whenever a case is delayed or doesn't get updated within a day. Please drop a tweet tagging @sophossupport. We can help you get the case escalated and get an instant follow-up.

    Please DM me the support# so that I can get an update on this issue.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to LB-Muenchen

    Nearly one month since the "buggy" release and still no solution!?

  • 0 in reply to LB-Muenchen

    Up2Date 9.405005 package out now, no solution, same error.
    (Site2Site SSL from UTM to UTM)

    Site2site SSL Live log, just open it, no connection active:
    2016:08:02-09:15:03 UTM_MPCA_DEMO openvpn[7305]: MANAGEMENT: Client disconnected
    2016:08:02-09:15:03 UTM_MPCA_DEMO openvpn[7305]: Linux ip route change failed: external program exited with error status: 2
    2016:08:02-09:15:03 UTM_MPCA_DEMO openvpn[7305]: Exiting due to fatal error

    Interface tun0 is totally missing.

    By the way, how to install 9.403 if only ISO for 9.404-5.1 is available and buggy?

    Hitting the update button is killing the UTM. Backupfile from 9.4 cannot be imported to 9.3 which is the only working available ISO image for that case.

    Does anyone have the ISO of the 9.403-4?

    Regards

  • 0

    Hi All,

    the engineering team is working on a fix for this issue. Unfortunately the fix was not ready in time to make it into the 9.405 maintenance release, the issue will be resolved with the next maintenance update.

    Jan

Unfiltered HTML