Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 35489 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN: remotely authenticated (ADDS) but VPN fails

Bembel

Hi,

one of our recently created users cannot use SSL VPN. We use Microsoft ADDS, users are imported & created through the console manually ("Prefetch Directory Users").

On dial-up authentication services return success...

2017:03:10-10:47:27 <firewall name> aua[18096]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="<IP address>" host="" user="<ADDS user name>" caller="openvpn" engine="adirectory"

...but the SSL VPN client & live log say otherwise:

2017:03:10-10:47:28 <firewall name> openvpn[7324]: <IP address>:54521 TLS Auth Error: --client-config-dir authentication failed for common name '<ADDS user name>' file='/etc/openvpn/conf.d/<ADDS user name>'

There have been users created before and after this user was created which run perfectly.

We are running an SG230 (9.411-3).

Does anyone have an idea how to approach this issue?

Thanks so much in advance!



This thread was automatically locked due to age.
  • 0

    We started having the same problem with one of our clients on Friday. 

  • 0 in reply to Ian Romero

    Hi, Ian, and welcome to the UTM Community!

    "TLS Auth Error" - What happens if you re-install the client in that device?  Or, can another user sign in from that device?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    We have the same problem. Another user can connect via device. The problem is user related. Has anyone a solution?

  • 0 in reply to SvenLinxweiler

    Hi, Sven, and welcome to the UTM Community!

    Did you try my suggestion above?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    this is not a client problem. I can connect on the same client with different users. But new users cannot connect from any client.

    kind regards

    Sven

  • 0 in reply to SvenLinxweiler

    Has there been a change in the CA used to generate the certificates for new users?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    No there was no changes with the CA or any certificate. 

    Here are some abstracts of the log files (with different ip addresses and usernames):

    aua.log:

    2017:05:23-15:41:14 dwasophos-1 aua[4314]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 23"
    2017:05:23-15:41:14 dwasophos-1 aua[4314]: id="3006" severity="info" sys="System" sub="auth" name="Child 30267 is running too long. Terminating child"
    2017:05:23-15:41:14 dwasophos-1 aua[30328]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.20.4 (adirectory)"
    2017:05:23-15:41:14 dwasophos-1 aua[30328]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="94.79.xxx.xxx" host="" user="USERNAME" caller="openvpn" engine="adirectory"
     
     
    openvpn.log:
    2017:05:23-15:41:12 dwasophos-1 openvpn[9070]: TCP connection established with [AF_INET]94.79.xxx.xxx:51374 (via [AF_INET]195.145.xxx.xxx:443)
    2017:05:23-15:41:13 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 TLS: Initial packet from [AF_INET]94.79.xxx.xxx:51374 (via [AF_INET]195.145.xxx.xxx:443), sid=172d19bf 1a37bd03
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=0, C=de, L=Hennef, O=Company, CN=Username, emailAddress=username@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=1, C=de, L=Hennef, O=Company, CN=CompanyVPN CA, emailAddress=edvorg@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=1, C=de, L=Hennef, O=Company, CN=CompanyVPN CA, emailAddress=edvorg@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=0, C=de, L=Hennef, O=Company, CN=Username, emailAddress=username@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 TLS: Username/Password authentication deferred for username 'username' [CN SET]
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 [username] Peer Connection Initiated with [AF_INET]94.79.xxx.xxx:51374 (via [AF_INET]195.145.xxx.xxx:443)
    2017:05:23-15:41:15 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 TLS Auth Error: --client-config-dir authentication failed for common name 'username' file='/etc/openvpn/conf.d/username'
    2017:05:23-15:41:16 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 PUSH: Received control message: 'PUSH_REQUEST'
    2017:05:23-15:41:16 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Delayed exit in 5 seconds
    2017:05:23-15:41:16 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
    2017:05:23-15:41:17 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Connection reset, restarting [0]
    2017:05:23-15:41:17 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 SIGUSR1[soft,connection-reset] received, client-instance restarting
  • 0 in reply to SvenLinxweiler

    Hi Sven,

    Just one thought. Is it possible that users are twice existent on the UTM. One synced AD Account and one local account with same name. Have you checked this??

    regards

    mod

  • 0 in reply to mod2402

    Hi,

    no this is not the problem. We have no local accounts on UTM.

    regards Sven

  • 0

    Hello all, this appears to be some kind of corruption of the user in the UTM and the (temporary until Sophos fixes the underlying issue) fix is to delete the user object and resync them.

     

    These steps worked for me for fixing the VPN of one of our users who was affected by this issue:

    1. Delete the user in the UTM.
    2. Recreate the user account by choosing "Prefetch Now" in Definitions & Users > Authentication Services > Advanced > Prefetch Now. It may take a few minutes for this process to complete before the user account is recreated.
    3. Download the SSL VPN configuration files. You can choose the option for just the configuration files if the VPN client is already installed on the client computer.
    4. The VPN configuration files are stored in the client computer at "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config". Delete the folder that matches the user and replace it with the extracted config files from step 3.
    5. The user should now be able to connect to the VPN.
Unfiltered HTML