Thread Info
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 11894 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN not working with Android devices

GL@MO

Hello @all,

I am having problems accessing my internal network through SSL VPN with my Android devices (Sony Xperia Z5 and Z4 Tablet with both Android 6) and the OpenVPN App..

After connecting to the UTM I want to access an internal Website or a server via RDP but in the log apperas a long chain of following error:

"read TCP_Client[]: Connection refused (code=111)"

see this log:

2016-08-04 14:43:48 OpenVPN 2.4-icsopenvpn [git:icsopenvpn-b89b098fc66488b9] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Jul 6 2016
2016-08-04 14:43:48 library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09
2016-08-04 14:43:48 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2016-08-04 14:43:48 MANAGEMENT: CMD 'hold release'
2016-08-04 14:43:48 MANAGEMENT: CMD 'username 'Auth' Username'
2016-08-04 14:43:48 MANAGEMENT: CMD 'bytecount 2'
2016-08-04 14:43:48 MANAGEMENT: CMD 'state on'
2016-08-04 14:43:48 MANAGEMENT: CMD 'password [...]'
2016-08-04 14:43:48 MANAGEMENT: >STATE:1470314628,RESOLVE,,,,,,
2016-08-04 14:43:49 MANAGEMENT: CMD 'proxy NONE'
2016-08-04 14:43:50 WARNING: No server certificate verification method has been enabled. See openvpn.net/howto.html for more info.
2016-08-04 14:43:50 LZO compression initializing
2016-08-04 14:43:50 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2016-08-04 14:43:50 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2016-08-04 14:43:50 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client'
2016-08-04 14:43:50 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-server'
2016-08-04 14:43:50 TCP/UDP: Preserving recently used remote address: [AF_INET]MYEXTERNALIP:4343
2016-08-04 14:43:50 Socket Buffers: R=[26280->26280] S=[16384->16384]
2016-08-04 14:43:50 Attempting to establish TCP connection with [AF_INET]MYEXTERNALIP:4343 [nonblock]
2016-08-04 14:43:50 MANAGEMENT: >STATE:1470314630,TCP_CONNECT,,,,,,
2016-08-04 14:43:50 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-08-04 14:43:51 TCP connection established with [AF_INET]MYEXTERNALIP:4343
2016-08-04 14:43:51 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-08-04 14:43:51 TCP_CLIENT link local: (not bound)
2016-08-04 14:43:51 TCP_CLIENT link remote: [AF_INET]MYEXTERNALIP:4343
2016-08-04 14:43:51 MANAGEMENT: >STATE:1470314631,WAIT,,,,,,
2016-08-04 14:43:52 MANAGEMENT: >STATE:1470314632,AUTH,,,,,,
2016-08-04 14:43:52 TLS: Initial packet from [AF_INET]MYEXTERNALIP:4343, sid=105972f2 acc67284
2016-08-04 14:43:52 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2016-08-04 14:43:53 VERIFY OK: depth=1, C=de, L=Stadt, O=FIRMA, CN=FIRMA VPN CA, emailAddress=network@mydomain.de
2016-08-04 14:43:53 VERIFY OK: depth=0, C=de, L=Stadt, O=FIRMA, CN=ASTAROHOSTNAME, emailAddress=network@mydomain.de
2016-08-04 14:43:54 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2016-08-04 14:43:54 [ASTAROHOSTNAME] Peer Connection Initiated with [AF_INET]MYEXTERNALIP:4343
2016-08-04 14:43:55 MANAGEMENT: >STATE:1470314635,GET_CONFIG,,,,,,
2016-08-04 14:43:55 SENT CONTROL [ASTAROHOSTNAME]: 'PUSH_REQUEST' (status=1)
2016-08-04 14:43:56 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.242.2.1,route-gateway 10.242.2.1,topology subnet,ping 10,ping-restart 120,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.10,dhcp-option DNS 192.168.1.11,dhcp-option WINS 192.168.1.10,dhcp-option WINS 192.168.1.11,dhcp-option DOMAIN intern.mydomain.de,ifconfig 10.242.2.2 255.255.255.0'
2016-08-04 14:43:56 OPTIONS IMPORT: timers and/or timeouts modified
2016-08-04 14:43:56 OPTIONS IMPORT: --ifconfig/up options modified
2016-08-04 14:43:56 OPTIONS IMPORT: route options modified
2016-08-04 14:43:56 OPTIONS IMPORT: route-related options modified
2016-08-04 14:43:56 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-08-04 14:43:56 Data Channel MTU parms [ L:1556 D:1556 EF:56 EB:406 ET:0 EL:3 ]
2016-08-04 14:43:56 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2016-08-04 14:43:56 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2016-08-04 14:43:56 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2016-08-04 14:43:56 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2016-08-04 14:43:56 GDG: SIOCGIFHWADDR(lo) failed
2016-08-04 14:43:56 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2016-08-04 14:43:56 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016-08-04 14:43:56 MANAGEMENT: >STATE:1470314636,ASSIGN_IP,,10.242.2.2,,,,
2016-08-04 14:43:56 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2016-08-04 14:43:56 MANAGEMENT: >STATE:1470314636,ADD_ROUTES,,,,,,
2016-08-04 14:43:56 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-08-04 14:43:56 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2016-08-04 14:43:56 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2016-08-04 14:43:56 MANAGEMENT: CMD 'needok 'DNSDOMAIN' ok'
2016-08-04 14:43:56 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2016-08-04 14:43:56 opening Tun-Networkinterface:
2016-08-04 14:43:56 Local IPv4: 10.242.2.2/24 IPv6: null MTU: 1500
2016-08-04 14:43:56 DNS-Server: 192.168.1.10, 192.168.1.11, Domain: intern.mydomain.de
2016-08-04 14:43:56 Routes: 10.242.2.0/24, 192.168.1.0/24
2016-08-04 14:43:56 Excluded Routes:
2016-08-04 14:43:56 Installed VpnService-Routes: 10.242.2.0/24, 192.168.1.0/24
2016-08-04 14:43:56 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2016-08-04 14:43:56 Initialization Sequence Completed
2016-08-04 14:43:56 MANAGEMENT: >STATE:1470314636,CONNECTED,SUCCESS,10.242.2.2,MYEXTERNALIP,4343,10.143.21.196,46635
2016-08-04 14:44:08 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:08 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:09 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:09 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:09 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:09 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:09 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:09 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:11 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:11 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:13 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:13 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:14 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:14 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:14 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:14 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:14 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:14 read TCP_CLIENT []: Connection refused (code=111)
2016-08-04 14:44:14 read TCP_CLIENT []: Connection refused (code=111)

...

That "*** happens" since updating to 9.404-5 and has not been repaired with update 9.405

Now you would maybe say my UTM is not configured properly but it is working with the same certificates and Username on my Windows 10 Laptop with the Sophos SSL VPN Client.

Does anybody have an idea how to solve this?



This thread was automatically locked due to age.

  • Hi,

    Oh!! I redirected to an incorrect thread. Sorry for the misdirection.

    EDIT-  Unfortunately, I didn't find any relevant information on the case. I am still looking at it like a Hawk. Meanwhile, can you please reimport the SSL configuration file in Windows 7 system and check if you are able to get the internal resource access.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to sachingurung

    I red the topic but it is about Sophos XG Firewall and not Sophos UTM. And there is also no fix available yet. Are you also working on UTM side to solve the problem?

    ---

  • in reply to GL@MO

    I edited the initial post, please take a look at it while I investigate the issue further.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to sachingurung

    Ehm, once again:

    The Problem is appearing on my Android Devices and not on my Windows System. Can you please confirm that you want me to reimport a New config File into the Windows VPN Clients and not into the android App which I did several times?! (I have Win10pro :))  Do you expect something specific from that?

    ---

  • in reply to GL@MO

    Hi,

    Sorry, I meant to re-import the config file on the Android device. I did some R&D on this issue and did a test on an Android device. I connected through Open VPN and took RDP of a system via Microsoft RDP application available in playstore.

    The connection was successful and I found no issue. I also tried to get some information on the log line "read TCP_Client[]: Connection refused (code=111)" unfortunately, I didn't get any concrete information on this. Not sure but did you tested this on a different Android device.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to sachingurung

    Well, I reimported the config serveral times on both devices without success getting a working connection. I also reinstalled the VPN app several times. Today I have taken a Samsung S4 device which could get a working VPN connection with the same VPN app and Config. The device could connect to internal Website.

    EDIT: Could find the problem today: it was "Stamina Mode" which is a power saving mode for Sony devices. When I connected the device to power cable, the VPN was working, DNS requests could be resolved and the internal website was shown. When I disconnected power, the connection was still there but the "Connection refused" errors came in the openVPN log. Really strange because it can't be configured.

    ---

Unfiltered HTML