Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 6983 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Client not working after Update to 9.404-5SSL

deactivator

Hello Guys,

unfortunately i am not able to use the ssl vpn on Windows & iOS Devices anymore.

The VPN Connection is successfully established, but it looks like nothing arrives at the Gateway, the Live Log keeps emtpy.

The local routes are set correctly by the Client.

I didnt change any Firewall Rule. I simply do not know why, i have tried creating a new local user / new ssl vpn profile but nothing helped out.

Does anyone of you have a Solutions. I´ve read about Site 2  Site Issues as well.



This thread was automatically locked due to age.
  • 0

    please post logs from the client..


    have updated also to 9.404-5 and no problems with ssl-vpn logins..

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0

    Wed Jul 13 15:12:25 2016 DEPRECATED OPTION: --tls-remote, please update your configuration
    Wed Jul 13 15:12:25 2016 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Apr 28 2016
    Wed Jul 13 15:12:25 2016 library versions: OpenSSL 1.0.1s  1 Mar 2016, LZO 2.09
    Wed Jul 13 15:12:25 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Wed Jul 13 15:12:25 2016 Need hold release from management interface, waiting...
    Wed Jul 13 15:12:25 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Wed Jul 13 15:12:25 2016 MANAGEMENT: CMD 'state on'
    Wed Jul 13 15:12:25 2016 MANAGEMENT: CMD 'log all on'
    Wed Jul 13 15:12:25 2016 MANAGEMENT: CMD 'hold off'
    Wed Jul 13 15:12:25 2016 MANAGEMENT: CMD 'hold release'
    Wed Jul 13 15:12:28 2016 MANAGEMENT: CMD 'username "Auth" "xxx"'
    Wed Jul 13 15:12:28 2016 MANAGEMENT: CMD 'password [...]'
    Wed Jul 13 15:12:29 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Wed Jul 13 15:12:29 2016 Attempting to establish TCP connection with [AF_INET]xxx [nonblock]
    Wed Jul 13 15:12:29 2016 MANAGEMENT: >STATE:1468415549,TCP_CONNECT,,,,,,
    Wed Jul 13 15:12:30 2016 TCP connection established with [AF_INET]xxx:443
    Wed Jul 13 15:12:30 2016 TCPv4_CLIENT link local: [undef]
    Wed Jul 13 15:12:30 2016 TCPv4_CLIENT link remote: [AF_INET]xxx:443
    Wed Jul 13 15:12:30 2016 MANAGEMENT: >STATE:1468415550,WAIT,,,,,,
    Wed Jul 13 15:12:30 2016 MANAGEMENT: >STATE:1468415550,AUTH,,,,,,
    Wed Jul 13 15:12:30 2016 TLS: Initial packet from [AF_INET]xxx:443, sid=2531f603 71c7df67
    Wed Jul 13 15:12:30 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Jul 13 15:12:30 2016 VERIFY OK: depth=1, C=de, xxx
    Wed Jul 13 15:12:30 2016 VERIFY X509NAME OK: C=de, xxx
    Wed Jul 13 15:12:30 2016 VERIFY OK: depth=0, C=de, xxx
    Wed Jul 13 15:12:31 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Jul 13 15:12:31 2016 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    Wed Jul 13 15:12:31 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Jul 13 15:12:31 2016 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    Wed Jul 13 15:12:31 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Wed Jul 13 15:12:31 2016 [gw1.xxx.local] Peer Connection Initiated with [AF_INET]xxx:443
    Wed Jul 13 15:12:32 2016 MANAGEMENT: >STATE:1468415552,GET_CONFIG,,,,,,
    Wed Jul 13 15:12:33 2016 SENT CONTROL [gw1.xxx.local]: 'PUSH_REQUEST' (status=1)
    Wed Jul 13 15:12:33 2016 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.242.2.1,route-gateway 10.242.2.1,topology subnet,ping 10,ping-restart 120,route 192.168.111.0 255.255.255.0,dhcp-option DNS 192.168.111.10,dhcp-option WINS 192.168.111.10,dhcp-option DOMAIN xxx.local,ifconfig 10.242.2.6 255.255.255.0'
    Wed Jul 13 15:12:33 2016 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Jul 13 15:12:33 2016 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Jul 13 15:12:33 2016 OPTIONS IMPORT: route options modified
    Wed Jul 13 15:12:33 2016 OPTIONS IMPORT: route-related options modified
    Wed Jul 13 15:12:33 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Jul 13 15:12:33 2016 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 I=12 HWADDR=90:1b:0e:xxx
    Wed Jul 13 15:12:33 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Wed Jul 13 15:12:33 2016 MANAGEMENT: >STATE:1468415553,ASSIGN_IP,,10.242.2.6,,,,
    Wed Jul 13 15:12:33 2016 open_tun, tt->ipv6=0
    Wed Jul 13 15:12:33 2016 TAP-WIN32 device [LAN-Verbindung 3] opened: \\.\Global\{7AE904F6-A858-40FE-8550-01C1F2A0E3EC}.tap
    Wed Jul 13 15:12:33 2016 TAP-Windows Driver Version 9.21
    Wed Jul 13 15:12:33 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.242.2.0/10.242.2.6/255.255.255.0 [SUCCEEDED]
    Wed Jul 13 15:12:33 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.242.2.6/255.255.255.0 on interface {7AE904F6-A858-40FE-8550-01C1F2A0E3EC} [DHCP-serv: 10.242.2.254, lease-time: 31536000]
    Wed Jul 13 15:12:33 2016 Successful ARP Flush on interface [22] {7AE904F6-A858-40FE-8550-01C1F2A0E3EC}
    Wed Jul 13 15:12:37 2016 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Wed Jul 13 15:12:37 2016 MANAGEMENT: >STATE:1468415557,ADD_ROUTES,,,,,,
    Wed Jul 13 15:12:37 2016 C:\Windows\system32\route.exe ADD xxx MASK 255.255.255.255 192.168.2.1
    Wed Jul 13 15:12:37 2016 Route addition via service succeeded
    Wed Jul 13 15:12:37 2016 C:\Windows\system32\route.exe ADD 192.168.111.0 MASK 255.255.255.0 10.242.2.1
    Wed Jul 13 15:12:37 2016 Route addition via service succeeded
    Wed Jul 13 15:12:37 2016 Initialization Sequence Completed
    Wed Jul 13 15:12:37 2016 MANAGEMENT: >STATE:1468415557,CONNECTED,SUCCESS,10.242.2.6,xxx,443,192.168.2.12,61272

    That is the log from the Client successfully connecting


    i am not able to ping, for example the gateway at 192.168.111.1


    Everything worked well before the update. I updated 6 Machines at the same time. But only 1 of them got that Problem

  • 0 in reply to deactivator

    for me client log seems ok.. if you updated 6 machines and one got the problem think thats a case for sophos support...

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0

    Hello Guys,


    i´ve tried downloading and replacing the local openvpn config file several times, but that didnt help.

    So i simply changed some of the Advanced ssl settings, such as Key size and encryption algorithm and applied these "new ones"

    After that i updated my local config file, and it worked well. After restoring the original Settings and updating the local config again, everything works fine.

    So no need to re-create Users or Profiles.

    Greetings from Bavaria,

Unfiltered HTML