We had problems using the SCC when connections close unexpectedly after about 60 minutes.
So we have changed the settings in the IPsec profile. We have changed the key life in phase 2 from 3600 to 36000 and have changed the dead peer detection to re-initate. I think that this would be the right solution.
But now here comes the problem:
After saving the changes we have exported the connection. Now after importing the new scx file in the Sophos Connect Client and after authentication we receive a message "connection could not be loaded".
After comparing the old scx file with the new one we notice that there is a certificate missing.
We suspect a bug in the new firmware, that we had installed some days ago.
Any idea?
Example old scx:
"remote_auth" : { "pubkey" : { "cacert" : "-----BEGIN CERTIFICATE-----\nMIIEfTCCA2WgAwIBAgIJAIDApT8FUBCaMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD...blabla blabla blabla...\nLzdHp/E4kYFe5ImLnYLMCdd9Ax7A66jfcPKdq8yNB8RJb8CePxEgQmom+ao7QNPu\n6ynSPAp6NXLV9pdWO7wxvY0vGGcBJWiyo8ry+idTsALCSFEDd0ej0ObNzpnHejBg\nnQ==\n-----END CERTIFICATE-----\n", "id" : "vpn.thisisthedomain.de" }, "otp" : false }
Example new scx:
"remote_auth" : { "pubkey" : { "cacert" : "\n", "id" : "vpn.thisisthedomain.de" }, "otp" : false },
Hello there,
Thank you for contacting the Sophos Community.
What version of the SFOS are you running, v190 MR1, v19.5 GA, and are users running Sophos Connect 2.2?
Regards,
We are running firmware SFOS 19.5.0 GA-Build197
SCC Version 2.2.75 but that doesn´t matter.
Thank you for the follow-up.
I just tried with v19.5 and I am able to see the certificate.
I would recommend you make sure the Certificate isn’t expired, if not, fill out a case with Support so they can investigate further, feel free to share the Case ID so we can follow up.
Hi Gerald Werner - Pls let us know if you need further help on this topic. Can you share the steps you followed to generate the configuration. Also any errors that you may have observed on the logs would be really helpful to nail down the exact problem.
Hello Avinash,
we simply click on "remote access vpn" and "ipsec" and then "export connection".
then we unzip the archive so we get the .scx file. In the .SCX file now the certificate is missing like mentioned above.
If we copy and paste the part of the certificate from a .scx file created 6 months ago, the .scx file is working.
For me this is surely a bug.
Thanks Gerald Werner Can you pls share the support access over private chat. Engineering team can look into the problem & gather further logs.
Also would like to know your upgrade path to 19.5. Can you pls help me with the source version & any bridge build used before you landed on 19.5?
Hi Gerald Werner , Can you help me with support access over pm.
Thanks
Avinash