This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN: DEPRECATED OPTION: -tls-remote?

Hello everybody,

I've stumbled upon a strange problem last Saturday: One of our sales people was unable to establish a VPN connection to our main office using the SSL VPN client.

He sent me a screenshot of the log file and what peaked my interest was the following error message:

DEPRECATED OPTION -tls-remote, please update your configuration

The actual cause of his inability to connect seemed to be a DNS issue. His PC was unable to resolve the public hostname of our SG430 cluster.

Unfortunately, I was not directly involved with the trouble shooting.

He uninstalled the SSL client from his machine, redownloaded the VPN profile from the user portal and was able to connect.

When I checked the original SSL config file and the file he redownloaded from the UTM, the tls-remote option was indeed missing from the redownloaded config file.

I then went ahead and checked my own profile on my machine and the tls-remote option was still present.

I don't have any problems connecting to our VPN and there also aren't any error messages regarding this deprecated option in my log file.

I also redownloaded my VPN profile from the user portal and the tls-remote option is no longer present.

So I'm assuming that some firmware update those last months removed the option from all profiles?

I'm unsure what to do at this point: Can I simply ignore this configuration change or do I need to redeploy all VPN profiles to all our users to prevent issues with this deprecated option?

 

Thanks in advance,

Dominik



This thread was automatically locked due to age.
  • Hallo Dominik,

    This changed over a year ago with 9.500 or 9.501.  You might run the version command to see when those were installed on your UTM.  Any new configs loaded since then should have no problem.  If a user runs into this problem, another option is to change their ovpn config file, replacing "tls-remote" with "verify-x509-name" and saving the file.  The newer config files also have a different structure, so a new install at the user's convenience would be my preference.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA