SSL VPN: remotely authenticated (ADDS) but VPN fails

Question

Hi,

one of our recently created users cannot use SSL VPN. We use Microsoft ADDS, users are imported & created through the console manually ("Prefetch Directory Users").

On dial-up authentication services return success...

2017:03:10-10:47:27 <firewall name> aua[18096]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="<IP address>" host="" user="<ADDS user name>" caller="openvpn" engine="adirectory"

...but the SSL VPN client & live log say otherwise:

2017:03:10-10:47:28 <firewall name> openvpn[7324]: <IP address>:54521 TLS Auth Error: --client-config-dir authentication failed for common name '<ADDS user name>' file='/etc/openvpn/conf.d/<ADDS user name>'

There have been users created before and after this user was created which run perfectly.

We are running an SG230 (9.411-3).

Does anyone have an idea how to approach this issue?

Thanks so much in advance!

This thread was automatically locked due to age.

Reilly Brogan · Answer

Hello all, this appears to be some kind of corruption of the user in the UTM and the (temporary until Sophos fixes the underlying issue) fix is to delete the user object and resync them. 
 
 These steps worked for me for fixing the VPN of one of our users who was affected by this issue: 
 
 Delete the user in the UTM. 
 Recreate the user account by choosing "Prefetch Now" in Definitions & Users > Authentication Services > Advanced > Prefetch Now. It may take a few minutes for this process to complete before the user account is recreated. 
 Download the SSL VPN configuration files. You can choose the option for just the configuration files if the VPN client is already installed on the client computer. 
 The VPN configuration files are stored in the client computer at "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config". Delete the folder that matches the user and replace it with the extracted config files from step 3. 
 The user should now be able to connect to the VPN.

SvenLinxweiler · Answer

We get some answer from our distributor. Its a bug in the sophos utm firmware and the sophos open vpn client. A workaround is using the standard openvpn client and import the sophos vpn config. 
 Since UpDate 9.501005 the bug is fixed by sophos: 
 Fix [NUTM-7157]: [Access & Identity] VPN users not being created when backend AD group is used