Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 35495 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN: remotely authenticated (ADDS) but VPN fails

Bembel

Hi,

one of our recently created users cannot use SSL VPN. We use Microsoft ADDS, users are imported & created through the console manually ("Prefetch Directory Users").

On dial-up authentication services return success...

2017:03:10-10:47:27 <firewall name> aua[18096]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="<IP address>" host="" user="<ADDS user name>" caller="openvpn" engine="adirectory"

...but the SSL VPN client & live log say otherwise:

2017:03:10-10:47:28 <firewall name> openvpn[7324]: <IP address>:54521 TLS Auth Error: --client-config-dir authentication failed for common name '<ADDS user name>' file='/etc/openvpn/conf.d/<ADDS user name>'

There have been users created before and after this user was created which run perfectly.

We are running an SG230 (9.411-3).

Does anyone have an idea how to approach this issue?

Thanks so much in advance!



This thread was automatically locked due to age.
Parents
  • 0

    We have the same problem. Another user can connect via device. The problem is user related. Has anyone a solution?

  • 0 in reply to SvenLinxweiler

    Hi, Sven, and welcome to the UTM Community!

    Did you try my suggestion above?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    this is not a client problem. I can connect on the same client with different users. But new users cannot connect from any client.

    kind regards

    Sven

  • 0 in reply to SvenLinxweiler

    Has there been a change in the CA used to generate the certificates for new users?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    No there was no changes with the CA or any certificate. 

    Here are some abstracts of the log files (with different ip addresses and usernames):

    aua.log:

    2017:05:23-15:41:14 dwasophos-1 aua[4314]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 23"
    2017:05:23-15:41:14 dwasophos-1 aua[4314]: id="3006" severity="info" sys="System" sub="auth" name="Child 30267 is running too long. Terminating child"
    2017:05:23-15:41:14 dwasophos-1 aua[30328]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.20.4 (adirectory)"
    2017:05:23-15:41:14 dwasophos-1 aua[30328]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="94.79.xxx.xxx" host="" user="USERNAME" caller="openvpn" engine="adirectory"
     
     
    openvpn.log:
    2017:05:23-15:41:12 dwasophos-1 openvpn[9070]: TCP connection established with [AF_INET]94.79.xxx.xxx:51374 (via [AF_INET]195.145.xxx.xxx:443)
    2017:05:23-15:41:13 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 TLS: Initial packet from [AF_INET]94.79.xxx.xxx:51374 (via [AF_INET]195.145.xxx.xxx:443), sid=172d19bf 1a37bd03
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=0, C=de, L=Hennef, O=Company, CN=Username, emailAddress=username@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=1, C=de, L=Hennef, O=Company, CN=CompanyVPN CA, emailAddress=edvorg@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=1, C=de, L=Hennef, O=Company, CN=CompanyVPN CA, emailAddress=edvorg@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=0, C=de, L=Hennef, O=Company, CN=Username, emailAddress=username@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 TLS: Username/Password authentication deferred for username 'username' [CN SET]
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 [username] Peer Connection Initiated with [AF_INET]94.79.xxx.xxx:51374 (via [AF_INET]195.145.xxx.xxx:443)
    2017:05:23-15:41:15 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 TLS Auth Error: --client-config-dir authentication failed for common name 'username' file='/etc/openvpn/conf.d/username'
    2017:05:23-15:41:16 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 PUSH: Received control message: 'PUSH_REQUEST'
    2017:05:23-15:41:16 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Delayed exit in 5 seconds
    2017:05:23-15:41:16 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
    2017:05:23-15:41:17 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Connection reset, restarting [0]
    2017:05:23-15:41:17 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 SIGUSR1[soft,connection-reset] received, client-instance restarting
Reply
  • 0 in reply to BAlfson

    No there was no changes with the CA or any certificate. 

    Here are some abstracts of the log files (with different ip addresses and usernames):

    aua.log:

    2017:05:23-15:41:14 dwasophos-1 aua[4314]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 23"
    2017:05:23-15:41:14 dwasophos-1 aua[4314]: id="3006" severity="info" sys="System" sub="auth" name="Child 30267 is running too long. Terminating child"
    2017:05:23-15:41:14 dwasophos-1 aua[30328]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.20.4 (adirectory)"
    2017:05:23-15:41:14 dwasophos-1 aua[30328]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="94.79.xxx.xxx" host="" user="USERNAME" caller="openvpn" engine="adirectory"
     
     
    openvpn.log:
    2017:05:23-15:41:12 dwasophos-1 openvpn[9070]: TCP connection established with [AF_INET]94.79.xxx.xxx:51374 (via [AF_INET]195.145.xxx.xxx:443)
    2017:05:23-15:41:13 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 TLS: Initial packet from [AF_INET]94.79.xxx.xxx:51374 (via [AF_INET]195.145.xxx.xxx:443), sid=172d19bf 1a37bd03
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=0, C=de, L=Hennef, O=Company, CN=Username, emailAddress=username@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=1, C=de, L=Hennef, O=Company, CN=CompanyVPN CA, emailAddress=edvorg@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=1, C=de, L=Hennef, O=Company, CN=CompanyVPN CA, emailAddress=edvorg@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 VERIFY OK: depth=0, C=de, L=Hennef, O=Company, CN=Username, emailAddress=username@company.de
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 TLS: Username/Password authentication deferred for username 'username' [CN SET]
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    2017:05:23-15:41:14 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 [username] Peer Connection Initiated with [AF_INET]94.79.xxx.xxx:51374 (via [AF_INET]195.145.xxx.xxx:443)
    2017:05:23-15:41:15 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 TLS Auth Error: --client-config-dir authentication failed for common name 'username' file='/etc/openvpn/conf.d/username'
    2017:05:23-15:41:16 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 PUSH: Received control message: 'PUSH_REQUEST'
    2017:05:23-15:41:16 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Delayed exit in 5 seconds
    2017:05:23-15:41:16 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
    2017:05:23-15:41:17 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 Connection reset, restarting [0]
    2017:05:23-15:41:17 dwasophos-1 openvpn[9070]: 94.79.xxx.xxx:51374 SIGUSR1[soft,connection-reset] received, client-instance restarting
Children
Unfiltered HTML