SSL VPN Client downloads are not being generated

Hi Paul Warriner 

If it is new setup, I would suggest you to ensure default CA certificate details are filled out. 

If the default CA certificate details are filled out, try to regenerate the certificate. 

Check out this post for more detail on how to re-generate default CA certificate :https://community.sophos.com/products/xg-firewall/f/vpn/97706/vpn-user-certificate-regenerate?pi2147=300

If re-generating default certificate does not resolve the issue, confirm SSL VPN files are located in /tmp.

• Reference this KBA to access the device’s advanced shell :Sophos XG Firewall: How to SSH to the firewall using PuTTY utility

• Steps to navigate to sslvpn from Advanced Shell.
• cd /tmp
• cd /content/sslvpn
• ls -larth

SFVUNL_SO01_SFOS 18.0.0 GA-Build354# ls -larth
-rw-r--r-- 1 1000 100 413 Jul 26 2016 client-config-template.ovpn
-rwxr-xr-x 1 1000 100 114.2K Jul 3 2017 ssl-vpn-config-installer.exe
-rwxr-xr-x 1 1000 100 1.5M Jul 3 2017 ssl-vpn-client-installer.exe
-rwxrwx--- 1 1000 489 72 Jul 4 2017 U2DVERSION

• Also ensure that patterns are updated on the firewall by navigating to Backup & Firmware > Pattern Update.

Thanks,

Hello H_Patel,

This unit has been in service for a couple of years, and uses a commercial certificate.

Interestingly, /content/sslvpn is empty.

Looking on our XG210, at another location, I do see those files.

Paul

Hi Paul Warriner 

We have created troubleshooting guide for this issue at : Sophos XG Firewall: Troubleshooting 0 Byte SSL VPN File. 

Please check that out and let us know if you have any issues.

Thanks,

This is wreaking havoc for me.

It was initially just that I couldn't download new clients, but existing were working fine.

After following the steps in the guide, and having the Default certificate regenerated, existing clients that could connect are no longer able to connect.  

Hi Paul Warriner

Apologies for the inconvenience caused.

Regenerating default certificate also regenerates user certificate that requires existing users to download the configuration form the UserPortal.

Please ensure existing users have the new configuration before re-connecting to SSL VPN. 

This behavior is detailed on this post : VPN User certificate regenerate. 

Thanks,

That brings me back to the original problem, of all downloads are 0 bytes.

Patterns update successfully.

/content/sslvpn is still empty.

Hi Paul Warriner 

Is this unit part of a HA cluster?  If so you may want to SSH to the aux device and check that same location to see if those files are present.  If so just switch over to the aux unit and users should be able to connect and download the client files.  As you have regenerated the certificate, existing users will need to re-download the configuration.

Let us know how it goes.

Thanks!

Hi Paul Warriner 

Is this unit part of a HA cluster?  If so you may want to SSH to the aux device and check that same location to see if those files are present.  If so just switch over to the aux unit and users should be able to connect and download the client files.  As you have regenerated the certificate, existing users will need to re-download the configuration.

Let us know how it goes.

Thanks!

Hello KingChris,

Thanks, for the info, but now a stupid question, how do I ssh to aux device, as the ip for the device does not connect?

Sorry for the bit of chaos, as I am 30 miles away from the device, and not wanting to take down the network.

Thanks,

Paul

It took support removing some Postgres entries, removing the /content/sslvpn directory, and reapplying pattern updates to get it back.

Steps are not exact, and I wouldn't try this at home.

Thanks to everyone for their suggestions, and stay safe.

This was the fix:

1. run the following SSH commands

psql -U nobody -d signature -p 5434 -tAc "delete from public.tblup2dateinfo where module='sslvpn'";
rm -rf /content/sslvpn*;
/scripts/u2d/u2d_init.sh;

2. update SSL VPN pattern in XG webadmin > Backup & Firmware > Pattern Updates, click on 'Update pattern now'

Thanks Paul,

The command solved also the problem on my HA configuration that was updated to the last 18 version today.

Thank you so much!

Carlo