Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Replacement Firewall, new VPN installs do not connect

Hi all,

Sophos sent us a replacement XG 310. I registered the device to a distribution group rather than the single user the old firewall was registered to. 

I have noticed that, since doing that, new SSL VPN installs do not connect. Any thoughts?



This thread was automatically locked due to age.
Parents
  • As Lucar suggested, if you uploaded the configuration, CA and all certificates are also restored so VPN users, for example, can connect.

    For new users, did you put the users in the SSL VPN configuration?

    Do you see the user's certificate under Certificates > Certificate menu?

    Thanks

  • I restored a backup of the old XG and everything was working fine running unregistered. When I registered the device, I changed the registration to a different mySophos account. That's when I noticed that new VPN installs do not connect (though already installed clients do).

    I can see user certificiates under Certificates -> Certificates.

  • Try to restore the Backup again.

     

    If you skip the registration and restore the configuration, XG will not process the VPN Configuration.

    The registration is needed for the VPN Certificates. 

    Therefore your Configs are not correct imported. 

     

    A Restore with the same backup after the registration should work. 

    __________________________________________________________________________________________________________________

  • Thanks for the feedback.

    Is the user an existing user or a new created one on the XG?

    Logs from remote vpn client and from XG side?

    Thanks

  • Existing user.

    I tried experimenting with my own account. My VPN client was working. I uninstalled and reinstalled with a fresh download of the client. Now it does not connect.

    When I restored from backup, it restored all certs and ran with registration (person)@(domain). Everything was working.

    Now that I have changed registration to (group)@(domain), new VPN installs do not work. I am guessing it is a certificate issue?

  • Can you try what suggested by Lucar?

  • The backup I restored from is more than two weeks old at this point. I would much prefer not to restore it as I would lose changes I have made since then.

  • Sadly the registration process regenerates the XG's certificate chain (I've had this one crop up before), the only way to fix this if you don't want to restore is to just people to download and reinstall the SSL Client.

     

    Regards

Reply Children
  • I was thinking to suggest to create a new vpn user and check if the VPN works.

    If the CA is re-generated, no other change to download the SSL VPN config and start over.

    :-(

  • I had a feeling... that is unfortunate.

     

    I wonder - if I changed the registration back to what it was (person)@(domain) to match the certificate store, would that provide a (less than ideal) fix?

  • If you know, which changes you made, use Export / Import to export those modules into XML.

    Then restore your old backup.

    Restore the needed / changed modules via XML. 

    __________________________________________________________________________________________________________________

  • Use the log viewer > Admin log to understand which changes you performed. Of course you do not have all the details, but at least you know the items created, modified, deleted.

    If you have a old backup, you can import the backup configuration on a XG VM, export everything as suggested by Lucar and then compare the XML files with the new exported one.

    Regards

  • Ok thank you. That is certainly an option.

     

    Is it possible to re-register the firewall as it is?

  • FormerMember
    0 FormerMember in reply to tripleview

    Hi tripleview,

    It is possible to re-register the XG firewall, but you have to de-register it first. I would suggest you to open a case with customer care to assist you with the process as it is not possible to de-register the firewall from the GUI, customer care team should be able to help you with this.

    Send an email to customercare@sophos.com, if you decide to de-register and re-register the firewall.

    Thanks,

  • Will registering the XG with the original email address fix my issue? Currently, new VPN installs do not connect but old installations continue to function.

    I could re-generate the appliance cert, but I think I would break the currently-installed client and the client would need to be re-installed for all VPN users.

  • FormerMember
    0 FormerMember in reply to tripleview

    Hi tripleview,

    I would suggest you to provide new and old user certificate detail. Please PM me the users certificate details. 

    I think your issue can be resolved by simply re-generating the default certificate of the firewall, and all the old users needs new configuration after you re-generate the default certificate. 

    Second option is re-register the firewall with the email address that was used in configuration.

    Thanks,

  • Just to provide some closure... I ended up regenerating the SecurityAppliance_SSL_CA certificate authority in System -> Certificates -> Certificate authority.

    After doing that, clients had to login to the User Portal and download a new configuration. Some had to reinstall the client. All is well now, thank you.