We'd love to hear about it! Click here to go to the product suggestion community
I am seeing a lot of theese when making remote access with SSL-VPN through the XG (Connenction to the XG from outside)
Bad compression stub decompression header byte: 102
When theese occur data traffic is halted, but connection is not dropped (vpn)
Running SFOS 17 MR5
I have compression enbled in XG SSL-VPN configuration.
Read on openvpn.net, there there is some issues with the comp-lzo parameter.
In the config from the XG, comp-lzo is set to no
Switched to "comp-lzo yes"
For now, everything works as supposed, will return later on :-)
Where is that "comp-lzo" setting in the XG? Thanks!
In reply to ken9000:
it's not in the XG but in the openvpn profile in the ssl client on your computer :-)
If it's missing ,just add it to the profile.
In reply to twister5800:
Can you make that change centrally for all who download their profile in the future?
It would be very helpful to set the flag centrally.
shouldn't it rather be "--compress lzo" instead of "compress-lzo yes" according to https://community.openvpn.net/openvpn/wiki/DeprecatedOptions ?
What version of OpenVPN server is the Sophos XG currently running?
In reply to exe:
It would be really helpfull to change this setting in the config-files that can be downloaded by the users.
The users can't use their config files 'out-of-the-box', which results in much more support time needed for VPN-Configuration.
This bug is known since about 8 month and has not been fixed in about 10 new releases...
It's also mentioned in:
I think there might also be performance issues caused by this bug as discussed in https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/100634/openvpn-slow-external-via-internet-connection-via-vpn-udp-and-tcp-with-and-without-compression .
In reply to Jelko Seiboth:
Same issue here, is a shame that after all this time Sohos hasn't been able to fix this, and is using OpenVPN version with critical security bugs.
In addition the encryption algorithms available are so poor... GCM is not even available with provides better security and bandwidth, only CBC is available with is vulnerable and not recomended to use.
AES-CBC typically requires a 256 bit key to be considered secure.
AES-CBC also is vulnerable to padding oracle attacks
In reply to Ovidiu:
At firmware 17.5.2, OpenVPN still using 2.3.6
In reply to Tomy Alma'arif:
At firmware 17.5.9 -With VPN Compression on
All versions of 2.4.x (2.4.1, 2.4.6. 2.48-current) all give the "Bad compression stub decompression header byte: 102" error
Regardless of the Client Compression Option, and syntax style
It always errors
Tomy Alma'arifAt firmware 17.5.2, OpenVPN still using 2.3.6
Client 2.3.6, Does not have the Error and is much Faster than 2.4.x when browsing a File Share
Client 2.3.18 [Apr-2018 -current for 2.3.x] is even faster with no noticeable lag when browsing a File Share
Both 2.3.x versions don't give this Error, with or without adding the Compression option
Bulk Copy performance seems unchanged between 2.3.x and a erroring 2.4.x client.
Upgrading to the earliest 2.4.x (2.4.0 [Jan-2017 older than 2.3.18]) It errors always.My suggestion is to use Client 2.3.18 openvpn-install-2.3.18-I602-x86_64.exe untill Sophos fixes whatever is wrong with their compression settings