Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 12212 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall - Unable to Download SSL VPN Client/Config via User Portal

ptho

Hi Sophos Community,

As the title suggests, when users login to the User Portal and attempt to download the SSL VPN Client and config for Windows the download just does not start. No reaction on the browser that I can see.

I've searched online and many people point to changing the certificate to the Default one, though we've used a custom certificate without issue and this is still set correctly AFAIK.

This issue does not seem to be the case when I'm attempting the download the installer on a macOS MacBook running macOS 12.4 / Monterey. Therefore, I'm having to download the client on this device and transfer it to the appropriate device as a work around. Only Windows Devices seem to be affected.

Can anyone advise on a fix?

PS > We are planning to deprecate SSL VPN and replace with Sophos Connect in the near future, but this is an annoyance for the handful for affected people.

Many Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi Patrick Thomas1

    Please share the status of the firmware shown on GUI under  System-->Admininstration --->Backup and Firmware -->Firmware and Default CA under System-->Admininstration-->Certificate-->Certificate Authorities  Go to System -->Administration -->Time 

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi Bharat,

    So we're experiencing this on a couple of devices running 18.5.2 MR-2-Build380.

    The time on these devices are correct.

    Im not sure what information you need for the 'Default' CA, however the information within does not reflect our circumstances, i.e. the Country Name is not the one they reside in. As a note though, we do not use the 'Default' certificate in Configure > VPN > Show VPN Settings (both appliances affected use custom, valid, certificates, and have done so far without issue in this regard).

  • 0 in reply to ptho
    ptho said:
    Country Name is not the one they reside in.

    Please share the snapshot  'Default' CA, which country it is showing by default now ?

    If the information on Default CA is not proper try to update Default CA as per the below link and check if you are able to download the client from the user portal or not : 

    https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/DefaultCertificateAuthorityEdit.html 

    Share the output, might you have to regenerate Appliance certificate as well to in case of not working after checking with Default CA 

    https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/RegeneratingCertificateAuthority.html 

    I would suggest you check the issue with the latest firmware version refer to the link for the same  : 

    https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available 

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to ptho

    please show a screenshot of backup+firmare/pattern updates

    looking for status of SSLVPN Clients component

    this link helps you to find out, if the files do even exist on your XG firewall:

    community.sophos.com/.../ssl-vpn-client-downloads-are-not-being-generated

  • 0 in reply to LHerzog

    Above is the screenshot of the Pattern Updates pane. I'll check the link sent to see if I can determine the issue.

  • 0 in reply to Bharat J

    Hi Bharat,

    Just a couple of questions here though. As before, the download works fine on a macOS device running in the same environment/Time/Zone as the Windows device. So changing the CA on the appliance wouldn't logically make a difference? And with  a custom certificate being used, how does this affect the Default CA?

    I'm hesitant to make any changes to the Certificates as this may affect the many existing SSL VPN users whose service remains unaffected at present. And as with the above clarification, the downloads do appear to work on a different OS.

    I've personally tried to replicate this as myself. On a Windows device it did not work, but on the macOS device it did. This was actioned within moments of the other.

    Many Thanks

  • 0 in reply to ptho

    Yes, if any of these actions are performed which I mentioned, affected users will have to re-download their SSL VPN installation file to utilize the new certificate.

    Take backup before making any changes.

    How many users are connecting with a remote VPN? you can check the current status where the configuration is broken as per the steps : 

    Check the /tmp partition on device

    • Reference this KBA to access the device’s advanced shell:
      • Sophos XG Firewall: How to SSH to the firewall using PuTTY utility

      • Navigate to the /tmp partition and investigate if the following SSL VPN files are present

        • # cd tmp
        • # cd /content/sslvpn
        • # ls
          • Confirm if the following SSL VPN files are present in /content/sslvpn:
          • rw-rr- 1 1000 100 client-config-template.ovpn
          • rw-rr- 1 1000 100 111.1K  ssl-vpn-config-installer.exe
          • rw-rr- 1 1000 100 1.4M  ssl-vpn-client-installer.exe
          • rw-rr- 1 1000 100  U2DVERSION

    SFVUNL_SO01_SFOS 19.0.# ls -larth

    Check if the /tmp partition is full

    • df –h     

    If files are not present, 

    • Try performing a manual pattern update
    • Backup & firmware > Pattern Updates > “Update Pattern” Click on update pattern now 

    Share the status and output 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to ptho

    Yes, if any of these actions are performed which I mentioned, affected users will have to re-download their SSL VPN installation file to utilize the new certificate.

    Take backup before making any changes.

    How many users are connecting with a remote VPN? you can check the current status where the configuration is broken as per the steps : 

    Check the /tmp partition on device

    • Reference this KBA to access the device’s advanced shell:
      • Sophos XG Firewall: How to SSH to the firewall using PuTTY utility

      • Navigate to the /tmp partition and investigate if the following SSL VPN files are present

        • # cd tmp
        • # cd /content/sslvpn
        • # ls
          • Confirm if the following SSL VPN files are present in /content/sslvpn:
          • rw-rr- 1 1000 100 client-config-template.ovpn
          • rw-rr- 1 1000 100 111.1K  ssl-vpn-config-installer.exe
          • rw-rr- 1 1000 100 1.4M  ssl-vpn-client-installer.exe
          • rw-rr- 1 1000 100  U2DVERSION

    SFVUNL_SO01_SFOS 19.0.# ls -larth

    Check if the /tmp partition is full

    • df –h     

    If files are not present, 

    • Try performing a manual pattern update
    • Backup & firmware > Pattern Updates > “Update Pattern” Click on update pattern now 

    Share the status and output 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Children
Unfiltered HTML