Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 4491 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall: SSL VPN - Login failed. Wrong fingerprint of certificate.

Gerd Beckmann1

Hi there,

In an XG 115 with the software 18.5.1 MR-1-Build326 I entered several users under Authentication / User, only the entry that was entered with an older firmware is still able to log in via SSL. All users who are now entered are rejected with AUTH errors, so they cannot log in. I compared all entries, they are identical except for the relevant entries. The simple LOG entries are 'reason = "wrong credentials", but I can log in with the same access data, e.g. via the user portal.

In the forum I found the following entries to diagnose errors:

Select Option 5 (Device Management) > Option 3 (Advance Shell)
Run this command to put the access_server service in debug:
•    service access_server:debug -d -s nosync
Once you capture the access_server logs in debug, run the same command to put access_server service in normal running mode.
Run this command to check service status :
•     service -S | grep access_server
SFVUNL_VM01_SFOS 17.5.11 MR-11# service -S | grep access_server
access_server RUNNING,DEBUG

Using the command 'tail –f /log/access_server.log I was able to extract the following error:

ERROR     Oct 22 19:49:30.431855 [access_server]: pg_db_handle_check_crt_fingerprint: row count: 1 value 0                                                      
DEBUG     Oct 22 19:49:30.431868 [access_server]: pg_db_submit_response: Request  Processed: res_type=-1                                                         
WARNING   Oct 22 19:49:30.431881 [access_server]: (check_crt_fingerprint): wrong  fingerprint for user test1                                              
DEBUG     Oct 22 19:49:30.431893 [access_server]: (send_pam_response): resp_code =3, clienttype=13, message='Login failed. Wrong fingerprint of certificate.'    
DEBUG     Oct 22 19:49:30.431905 [access_server]: send_pam_response: message:'Login failed. Wrong fingerprint of certificate.', len:47, data:'Login failed. Wrong fingerprint of certificate.'

The user 'test' created with a different firmware version can log in with the same certificate without any problems. What has changed with the newer firmware versions that newer user entries can no longer connect or how can I prevent these errors?

I am grateful for every tip.

regards

Gerd Beckmann



This thread was automatically locked due to age.
Parents
  • 0

    This issue most likely generates, because the user is a different user generated by the firewall. 

    Means: You have two separate authentication setups: User Portal and SSLVPN. If User logins via User Portal using AD Server or Radius, it will generate a config for this user. It could be a different user after all, using VPN after the download. Check its the same authentication method. If not, check if you change this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

     Hello, thank you for your answers.

    No, I only use local authentication, there are no entries under Authentication / Server. All methods entered under Authentication / Services use the same local authentication.

    There is only one functional user who was probably created under a different firmware version; newly created users all receive the error message that the login has failed. All users are in the same group and have exactly the same settings except for different names / passwords / email addresses.  

    Add: After the user request to log in i found in the sslvpn.log this entry:

    Error: cannot open /tmp/openvpn/serverusers.conf to verify user

    Maybe that's another clue to the solution?

  • 0 in reply to Gerd Beckmann1

    Hello Gerd,

    Most likely the new users, are using in their password some invalid characters such as #,%, etc. 

    Try creating a new user with a simple password without special characters, see if that resolves the issue.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi, thanks for your reply,

    i tried all those combinations before, my last user becomes the name 'test1' and the password 'Test12345' with the same result.

  • 0 in reply to Gerd Beckmann1

    Did you replace a certificate or something? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi Toni,

    no, i've only two certificates installed, the default ApplianceCertificate and a 'locally signed' certificate for the SSL -VPN. All the defined SSL-Users uses the same certificate, only one of them can connect.

Reply Children
No Data
Unfiltered HTML