Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 39 subscribers
  • Views 20653 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLVPN over UDP TLS handshake error

twister5800

Running SFOS: 17.1.2 MR-2

Suddenly when running SSLVPN it gives error:

Mon Sep 17 08:39:55 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:2443
Mon Sep 17 08:39:55 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Sep 17 08:39:55 2018 UDP link local: (not bound)
Mon Sep 17 08:39:55 2018 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:2443
Mon Sep 17 08:39:55 2018 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:2443, sid=cb74f153 8b656703
Mon Sep 17 08:39:55 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 17 08:39:55 2018 VERIFY OK: depth=1, C=dk, L=MyCity, O=None, CN=None WebAdmin CA, emailAddress=user@domain.com
Mon Sep 17 08:39:55 2018 VERIFY X509NAME OK: C=dk, L=MyCity, O=None, CN=fw.domain.com
Mon Sep 17 08:39:55 2018 VERIFY OK: depth=0, C=dk, L=MyCity, O=None, CN=fw.domain.com
Mon Sep 17 08:40:55 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ERROR: TLS error! See log for details
Mon Sep 17 08:40:55 2018 TLS Error: TLS handshake failed
Mon Sep 17 08:40:55 2018 SIGUSR1[soft,tls-error] received, process restarting
Mon Sep 17 08:40:55 2018 Restart pause, 5 second(s)
Mon Sep 17 08:41:00 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:2443
Mon Sep 17 08:41:00 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Sep 17 08:41:00 2018 UDP link local: (not bound)
Mon Sep 17 08:41:00 2018 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:2443
Mon Sep 17 08:41:00 2018 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:2443, sid=a6469550 665f08fd
Mon Sep 17 08:41:00 2018 VERIFY OK: depth=1, C=dk, L=MyCity, O=None, CN=None WebAdmin CA, emailAddress=user@domain.com
Mon Sep 17 08:41:00 2018 VERIFY X509NAME OK: C=dk, L=MyCity, O=None, CN=fw.domain.com
Mon Sep 17 08:41:00 2018 VERIFY OK: depth=0, C=dk, L=MyCity, O=None, CN=fw.domain.com
Disconnected

When choosing TCP it does not work, it just gives this:

 

Mon Sep 17 08:56:44 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:8443
Mon Sep 17 08:56:44 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Sep 17 08:56:44 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:8443 [nonblock]
Mon Sep 17 08:56:45 2018 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:8443
Mon Sep 17 08:56:45 2018 TCP_CLIENT link local: (not bound)
Mon Sep 17 08:56:45 2018 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:8443
Mon Sep 17 08:56:45 2018 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:8443, sid=cf9ad1ff 8d8dc1d6
Mon Sep 17 08:56:46 2018 VERIFY OK: depth=1, C=dk, L=MyCity, O=None, CN=None WebAdmin CA, emailAddress=user@domain.com
Mon Sep 17 08:56:46 2018 VERIFY X509NAME OK: C=dk, L=MyCity, O=None, CN=fw.domain.com
Mon Sep 17 08:56:46 2018 VERIFY OK: depth=0, C=dk, L=MyCity, O=None, CN=fw.domain.com
Mon Sep 17 08:56:46 2018 Connection reset, restarting [0]
Mon Sep 17 08:56:46 2018 SIGUSR1[soft,connection-reset] received, process restarting
Mon Sep 17 08:56:46 2018 Restart pause, 5 second(s)

 Never been a issue with UTM on port 2443 and UDP.

 

Try changing port number to 8443, with no luck.



This thread was automatically locked due to age.
  • 0

    Can you perform an tcpdump on XG or on client via wireshark? 

    This issue indicates something is wrong with the connection. 

    __________________________________________________________________________________________________________________

  • 0

    Hi, sorry for the delay, I did use some hours on this :-)

     

    I used the UTm --> XG config conversion appliance , and somehow, the certificates, for users got mixed up.

     

    I did make sure that the "ApplianceCertificate" got regenerated.

     

    I edited the Default CA with my own informations, and saved it, that I got from FloSupport in another thread:

    To regenerate the SSL VPN user certificate for all users, navigate to System | Certificates | Certificate Authorities and edit the "Default" CA. Clicking save within this certificate will force the regeneration of all the SSL VPN user certificates and will also restart the SSL VPN service.

    To regenerate an individual user's SSL VPN certificate, you will have to navigate to System | Certificates and delete their "Per User Certificate".
    Their certificate will then be regenerated the next time the user signs into the XG User Portal.

    Please note that if any of these actions are performed, that all users or that individual user will have to re-download their SSL VPN installation file to utilize their new certificate.

    I downloaded the config again and it worked..pheeww :-)

     

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

Unfiltered HTML