Replacement Firewall, new VPN installs do not connect

As Lucar suggested, if you uploaded the configuration, CA and all certificates are also restored so VPN users, for example, can connect.

For new users, did you put the users in the SSL VPN configuration?

Do you see the user's certificate under Certificates > Certificate menu?

Thanks

I restored a backup of the old XG and everything was working fine running unregistered. When I registered the device, I changed the registration to a different mySophos account. That's when I noticed that new VPN installs do not connect (though already installed clients do).

I can see user certificiates under Certificates -> Certificates.

Sadly the registration process regenerates the XG's certificate chain (I've had this one crop up before), the only way to fix this if you don't want to restore is to just people to download and reinstall the SSL Client.

Regards

I was thinking to suggest to create a new vpn user and check if the VPN works.

If the CA is re-generated, no other change to download the SSL VPN config and start over.

:-(

I had a feeling... that is unfortunate.

I wonder - if I changed the registration back to what it was (person)@(domain) to match the certificate store, would that provide a (less than ideal) fix?

If you know, which changes you made, use Export / Import to export those modules into XML.

Then restore your old backup.

Restore the needed / changed modules via XML. 

Use the log viewer > Admin log to understand which changes you performed. Of course you do not have all the details, but at least you know the items created, modified, deleted.

If you have a old backup, you can import the backup configuration on a XG VM, export everything as suggested by Lucar and then compare the XML files with the new exported one.

Regards

Ok thank you. That is certainly an option.

Is it possible to re-register the firewall as it is?

Hi tripleview,

It is possible to re-register the XG firewall, but you have to de-register it first. I would suggest you to open a case with customer care to assist you with the process as it is not possible to de-register the firewall from the GUI, customer care team should be able to help you with this.

Send an email to customercare@sophos.com, if you decide to de-register and re-register the firewall.

Thanks,

Will registering the XG with the original email address fix my issue? Currently, new VPN installs do not connect but old installations continue to function.

I could re-generate the appliance cert, but I think I would break the currently-installed client and the client would need to be re-installed for all VPN users.

Hi tripleview,

I would suggest you to provide new and old user certificate detail. Please PM me the users certificate details. 

I think your issue can be resolved by simply re-generating the default certificate of the firewall, and all the old users needs new configuration after you re-generate the default certificate. 

Second option is re-register the firewall with the email address that was used in configuration.

Thanks,

Just to provide some closure... I ended up regenerating the SecurityAppliance_SSL_CA certificate authority in System -> Certificates -> Certificate authority.

After doing that, clients had to login to the User Portal and download a new configuration. Some had to reinstall the client. All is well now, thank you.

Just to provide some closure... I ended up regenerating the SecurityAppliance_SSL_CA certificate authority in System -> Certificates -> Certificate authority.

After doing that, clients had to login to the User Portal and download a new configuration. Some had to reinstall the client. All is well now, thank you.