This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot connect remote SSL VPN - AUTH_FAILED

Hi,

I have tried to connect to my XG with SSL VPN but for some reason the connection is failed every time. I have tried to connect with OpenVPN and Sophos Connect clients and every time connection fail. I can connect remotely to user portal.

I have followed the instructions and troubleshooting in following sites

http://www.itgurupro.com/sophos-xg-firewall/sophos-xg-firewall-configuring-ssl-vpn-for-remote-access/

https://support.sophos.com/support/s/article/KB-000035542?language=en_US

https://support.sophos.com/support/s/article/KB-000036884?language=en_US

Here is the log of the OpenVPN (some id data have been changed):

[Jun 14, 2021, 13:01:44] OpenVPN core 3.git::8975e733 win x86_64 64-bit built on May 25 2021 14:08:00
⏎[Jun 14, 2021, 13:01:44] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Jun 14, 2021, 13:01:44] UNUSED OPTIONS
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
16 [route-delay] [4]
17 [verb] [3]
⏎[Jun 14, 2021, 13:01:44] EVENT: RESOLVE ⏎[Jun 14, 2021, 13:01:44] EVENT: WAIT ⏎[Jun 14, 2021, 13:01:44] WinCommandAgent: transmitting bypass route to AAA.BBB.CCC.DDD
{
	"host" : "AAA.BBB.CCC.DDD",
	"ipv6" : false
}

⏎[Jun 14, 2021, 13:01:44] Connecting to [XXXXXXX.myfirewall.co]:8443 (AAA.BBB.CCC.DDD) via TCPv4
⏎[Jun 14, 2021, 13:01:44] EVENT: CONNECTING ⏎[Jun 14, 2021, 13:01:44] Tunnel Options:V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client
⏎[Jun 14, 2021, 13:01:44] Creds: Username/Password
⏎[Jun 14, 2021, 13:01:44] Peer Info:
IV_VER=3.git::8975e733
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.3.0-2171
IV_SSO=openurl,crtext

⏎[Jun 14, 2021, 13:01:46] SSL Handshake: peer certificate: CN=SophosApplianceCertificate_C01001XXXXXXXXX, 2048 bit RSA, cipher: DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD

⏎[Jun 14, 2021, 13:01:46] Session is ACTIVE
⏎[Jun 14, 2021, 13:01:46] EVENT: GET_CONFIG ⏎[Jun 14, 2021, 13:01:46] Sending PUSH_REQUEST to server...
⏎[Jun 14, 2021, 13:01:46] AUTH_FAILED
⏎[Jun 14, 2021, 13:01:46] EVENT: AUTH_FAILED ⏎[Jun 14, 2021, 13:01:46] EVENT: DISCONNECTED ⏎

Here is the log of the Sophos Client (some id data have been changed):

Mon Jun 14 13:05:32 2021 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul  3 2017
Mon Jun 14 13:05:32 2021 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.09
Enter Management Password:
Mon Jun 14 13:05:32 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Jun 14 13:05:32 2021 Need hold release from management interface, waiting...
Mon Jun 14 13:05:32 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Jun 14 13:05:33 2021 MANAGEMENT: CMD 'state on'
Mon Jun 14 13:05:33 2021 MANAGEMENT: CMD 'log all on'
Mon Jun 14 13:05:33 2021 MANAGEMENT: CMD 'hold off'
Mon Jun 14 13:05:33 2021 MANAGEMENT: CMD 'hold release'
Mon Jun 14 13:05:43 2021 MANAGEMENT: CMD 'username "Auth" "XXXXXXXXXXXX"'
Mon Jun 14 13:05:44 2021 MANAGEMENT: CMD 'password [...]'
Mon Jun 14 13:05:59 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Jun 14 13:06:23 2021 Attempting to establish TCP connection with [AF_INET]AAA.BBB.CCC.DDD:8443 [nonblock]
Mon Jun 14 13:06:23 2021 MANAGEMENT: >STATE:1623665183,TCP_CONNECT,,,,,,
Mon Jun 14 13:06:24 2021 TCP connection established with [AF_INET]AAA.BBB.CCC.DDD:8443
Mon Jun 14 13:06:24 2021 TCPv4_CLIENT link local: [undef]
Mon Jun 14 13:06:24 2021 TCPv4_CLIENT link remote: [AF_INET]AAA.BBB.CCC.DDD:8443
Mon Jun 14 13:06:24 2021 MANAGEMENT: >STATE:1623665184,WAIT,,,,,,
Mon Jun 14 13:06:24 2021 MANAGEMENT: >STATE:1623665184,AUTH,,,,,,
Mon Jun 14 13:06:24 2021 TLS: Initial packet from [AF_INET]AAA.BBB.CCC.DDD:8443, sid=5bed6648 1e017b5f
Mon Jun 14 13:06:25 2021 VERIFY OK: depth=1, C=FI, ST=NA, L=NA, O=My home, OU=OU, CN=Sophos_CA_C01001XXXXXXX, emailAddress=XXXX@gmail.com
Mon Jun 14 13:06:25 2021 VERIFY X509NAME OK: C=FI, ST=NA, L=NA, O=My home, OU=OU, CN=SophosApplianceCertificate_C01001XXXXXX, emailAddress=XXXX@gmail.com
Mon Jun 14 13:06:25 2021 VERIFY OK: depth=0, C=FI, ST=NA, L=NA, O=My home, OU=OU, CN=SophosApplianceCertificate_C01001XXXXXX, emailAddress=XXXX@gmail.com
Mon Jun 14 13:06:26 2021 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Jun 14 13:06:26 2021 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun 14 13:06:26 2021 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Jun 14 13:06:26 2021 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun 14 13:06:26 2021 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Jun 14 13:06:26 2021 [SophosApplianceCertificate_C01001XXXXXX] Peer Connection Initiated with [AF_INET]AAA.BBB.CCC.DDD:8443
Mon Jun 14 13:06:27 2021 MANAGEMENT: >STATE:1623665187,GET_CONFIG,,,,,,
Mon Jun 14 13:06:28 2021 SENT CONTROL [SophosApplianceCertificate_C01001XXXXXX]: 'PUSH_REQUEST' (status=1)
Mon Jun 14 13:06:29 2021 AUTH: Received control message: AUTH_FAILED
Mon Jun 14 13:06:29 2021 SIGUSR1[soft,auth-failure] received, process restarting
Mon Jun 14 13:06:29 2021 MANAGEMENT: >STATE:1623665189,RECONNECTING,auth-failure,,,,,
Mon Jun 14 13:06:29 2021 Restart pause, 5 second(s)
Mon Jun 14 13:06:33 2021 SIGTERM[hard,init_instance] received, process exiting
Mon Jun 14 13:06:33 2021 MANAGEMENT: >STATE:1623665193,EXITING,init_instance,,,,,

I cannot figure out why handshaking is failing. OpenVPN from LAN is working fine with current .opvn file. But same the file from WAN is not working.

8443 is forwarded in Internet router and traffic flows. As you can see from the log I'm using Sophos DDNS. Login/pass triple checked and working fine. But no connection.



This thread was automatically locked due to age.