no routing after Update 9.409-9 Cisco VPN

Question

We use the "Cisco VPN client" feature for connection iPhones to the company network. 
 All worked perfect. Since the update 9.409-9 no traffic is routed through the vpn. 
 The vpn connection is establishing and shows no errors, but every connection from the iPhones is timed out. I can't ping trough the vpn. 
 Is there a bug in the 9.409-9 update?

HolgerLehn · Accepted Answer

Fred, just found out that the knowledge base article is not complete - I will organize an update of the KBA. 
 
 please try the following commandline and report if this solves your problem. 
 cc change_object REF_IPsecPolicyCisco ipsec_auth_alg sha2_256_96 Thank you in advance Regards, Holger

Alex Hee · Answer

I had the same issue. What I did is restore my configuration in Management - Backup/Restore to old version then it works again.

sachingurung · Answer

Hi, 
 Try the suggestion from Alex and let us know if that helped you. 
 The issue is also reported a BUG under the ID NUTM-6375. If the backup upload solves it, I think the issue is more inclined towards the configurations sync from older to latest firmware. 
 Thanks

HolgerLehn · Answer

Hi, 
 there are two different ways the SHA2 hashes are truncated for L2TP / IPSec RemoteAccess VPN by various manufacturers. One way is the official RFC defined way to handle SHA2 and the other one is the GOOGLE way. In the GOOGLE way a truncation after 96 bits is happening. 
 If you have connections problems with a mobile device, Check the knowledge base article https://community.sophos.com/kb/en-us/125796 to get further information. Other customers have been able to solve their problem by adapting the policy ("SHA2 256" or "SHA 256 96bit" or by using the command line option. 
 We are working on a solution to support both ways at the same. 
 Greetings 
 Holger

HolgerLehn · Answer

Tobias, 
 thank you for your feedback. 
 
 Greetings 
 Holger