Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 2582 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN with IPv4 but message TCPv6_SERVER: Connection timed out (code=110) and Broken pipe (code=32)

LHerzog

We have a user that is complaining repeatedly about disconnecting SSL VPN (TCP) with Connect Client 2.2.90

SFOS is 19.5.2

I assume his ISP uses IPv4 sharing / DS-Lite.

Nevertheless, when he connects, he is connecting with an IPv4 address and that is written in the sslvpn.log.

XG is not communicating with IPv6 to the outside world.

User is using MFA.

Authentication is successful after the second attempt and the routes are pushed to the client.

Then in the logs IPv6 Server messages appear and finally the connections is no longer working and timing out.

The user assured, he can access all internet sites normally or watch videos online when his SSL VPN disconnects.

full XG log:

2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 Is IPv4 :1
2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 SENT CONTROL [username@domain.de]: 'PUSH_REPLY,route-gateway 10.242.254.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 172.1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,dhcp-option DOMAIN domain.de,ifconfig 10.242.254.10 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 09:36:35Z [26682] TCP connection established with [AF_INET6]::ffff:82.207.250.180:20837
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 TLS: Initial packet from [AF_INET6]::ffff:82.207.250.180:20837, sid=9d129e4b 8a60abb8
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_VER=2.5.6
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_PLAT=win
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_PROTO=6
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_NCP=2
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_LZ4=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_LZ4v2=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_LZO=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_COMP_STUB=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_COMP_STUBv2=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_TCPNL=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 TLS: Username/Password authentication deferred for username 'username' [CN SET]
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 [username] Peer Connection Initiated with [AF_INET6]::ffff:82.207.250.180:20837
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 PUSH: Received control message: 'PUSH_REQUEST'
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 Delayed exit in 5 seconds
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 Connection reset, restarting [0]
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 SIGUSR1[soft,connection-reset] received, client-instance restarting
2023-07-31 09:39:18Z [26682] TCP connection established with [AF_INET6]::ffff:82.207.250.180:20631
2023-07-31 09:39:18Z [26682] 82.207.250.180:20631 TLS: Initial packet from [AF_INET6]::ffff:82.207.250.180:20631, sid=6b1ce399 cf70d970
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_VER=2.5.6
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_PLAT=win
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_PROTO=6
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_NCP=2
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_LZ4=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_LZ4v2=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_LZO=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_COMP_STUB=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_COMP_STUBv2=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_TCPNL=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 TLS: Username/Password authentication deferred for username 'username' [CN SET]
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 [username] Peer Connection Initiated with [AF_INET6]::ffff:82.207.250.180:20631
2023-07-31 09:39:20Z [26682] 82.207.250.180:20631 PUSH: Received control message: 'PUSH_REQUEST'
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn/conf.d/username@domain.de
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI_sva: pool returned IPv4=10.xxx.xxx.12, IPv6=2001:db8::b
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_pool_remote_ipv6:2001:db8::b
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_remote_ip: 82.207.250.180, isipv4c: 1
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_64f93902632f062d.tmp
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_pool_remote_ipv6:2001:db8::b
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_remote_ip: 82.207.250.180, isipv4c: 1
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_535eed8033428f84.tmp
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_pool_remote_ipv6:2001:db8::b
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_remote_ip: 82.207.250.180, isipv4c: 1
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: Learn: 10.xxx.xxx.12 -> username@domain.de/82.207.250.180:20631
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: primary virtual IP for username@domain.de/82.207.250.180:20631: 10.xxx.xxx.12
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: Learn: 2001:db8::b -> username@domain.de/82.207.250.180:20631
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: primary virtual IPv6 for username@domain.de/82.207.250.180:20631: 2001:db8::b
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 PUSH: Received control message: 'PUSH_REQUEST'
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Host:::ffff:82.207.250.180 Port:20631
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Is IPv4 :1
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 send_push_reply(): suppress sending 'tun-ipv6'
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Host:::ffff:82.207.250.180 Port:20631
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Is IPv4 :1
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 SENT CONTROL [username@domain.de]: 'PUSH_REPLY,route-gateway 10.242.254.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 172.1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,dhcp-option DOMAIN domain.de,ifconfig 10.xxx.xxx.12 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Connection timed out (code=110)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
message repeated 60 times
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 Connection reset, restarting [0]
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 SIGUSR1[soft,connection-reset] received, client-instance restarting
2023-07-31 09:43:44Z [26682] TCP connection established with [AF_INET6]::ffff:82.207.250.180:20635
2023-07-31 09:43:44Z [26682] 82.207.250.180:20635 TLS: Initial packet from [AF_INET6]::ffff:82.207.250.180:20635, sid=81331d69 1e954c8b

Client log:

Any idea what could cause the gateway reset here?



This thread was automatically locked due to age.
Parents
  • 0

    picked up the client text log:

    2023-07-31 07:45:40AM [5372] inf Starting Sophos Sophos Connect version 2.2.90.1104
2023-07-31 07:45:40AM [5372] dbg Initializing protected storage
2023-07-31 07:45:40AM [5372] inf No user is currently logged on
2023-07-31 07:45:40AM [5372] dbg Starting the auto-importer
2023-07-31 07:45:40AM [5372] inf Initializing strongSwan
2023-07-31 07:45:45AM [5372] dbg strongSwan version 5.9.5 has been started
2023-07-31 07:45:45AM [5372] inf Initializing open vpn service
2023-07-31 07:45:48AM [5372] dbg Starting the communications module
2023-07-31 07:45:48AM [5372] dbg Starting HTTP server on 127.0.0.1:60110
2023-07-31 07:45:48AM [5372] inf Sophos Connect started
2023-07-31 07:45:53AM [7896] dbg Sending telemetry data to sftelemetry.sophos.com:443
2023-07-31 07:54:57AM [4912] dbg User change detected: current user is DOMAIN\username
2023-07-31 07:54:57AM [4912] inf Logged on user is DOMAIN\username
2023-07-31 07:56:34AM [13452] dbg firewall.domain.de VPN state changed to connecting
2023-07-31 07:56:34AM [13452] dbg Starting tunnel (connecting)
2023-07-31 07:56:34AM [13452] inf Remote added to list: firewall.domain.de 443
2023-07-31 07:56:36AM [13452] dbg Tunnel initiated to firewall.domain.de 443
2023-07-31 07:56:42AM [11156] dbg WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-07-31 07:56:42AM [11156] dbg WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-07-31 07:56:42AM [11156] dbg Connection to open vpn has been established
2023-07-31 07:56:42AM [11156] dbg Adding watch for physical IP 192.168.178.110 down
2023-07-31 07:56:42AM [3376] dbg RunLogonScript thread started
2023-07-31 07:56:42AM [3376] dbg Identified console user: DOMAIN\username
2023-07-31 07:56:42AM [3376] dbg Identified Logon server: DC
2023-07-31 07:56:42AM [11156] dbg firewall.domain.de VPN state changed to connected
2023-07-31 07:56:54AM [3376] dbg Invalid logon script path returned by server DC for user username
2023-07-31 11:36:14AM [11156] dbg read TCP_CLIENT: Unknown error (code=10060)
2023-07-31 11:36:14AM [11156] dbg read TCP_CLIENT: Unknown error (code=10060)
2023-07-31 11:36:14AM [11156] dbg Connection reset, restarting [-1]
2023-07-31 11:36:14AM [11156] dbg Received connection reset
2023-07-31 11:36:14AM [11156] dbg firewall.domain.de VPN state changed to disconnecting
2023-07-31 11:36:14AM [13452] dbg Tunnel is stopped
2023-07-31 11:36:27AM [11156] dbg received exiting event
2023-07-31 11:36:27AM [1620] dbg firewall.domain.de VPN state changed to disconnected
2023-07-31 11:36:27AM [1620] dbg Sending notification: Received connection reset from gateway: firewall.domain.de 443
2023-07-31 11:36:32AM [1436] dbg firewall.domain.de VPN state changed to connecting
2023-07-31 11:36:32AM [1436] dbg Starting tunnel (connecting)
2023-07-31 11:36:32AM [1436] inf Remote added to list: firewall.domain.de 443
2023-07-31 11:36:35AM [1436] dbg Tunnel initiated to firewall.domain.de 443
2023-07-31 11:36:37AM [2076] dbg firewall.domain.de user authentication failed - clearing any stored credentials
2023-07-31 11:36:37AM [2076] dbg firewall.domain.de VPN state changed to disconnected
2023-07-31 11:36:37AM [2076] dbg Sending notification: User authentication failed. Please try again
2023-07-31 11:36:37AM [2076] dbg received exiting event
2023-07-31 11:36:37AM [1436] dbg Tunnel is stopped
2023-07-31 11:39:16AM [4384] dbg firewall.domain.de VPN state changed to connecting
2023-07-31 11:39:16AM [4384] dbg Starting tunnel (connecting)
2023-07-31 11:39:16AM [4384] inf Remote added to list: firewall.domain.de 443
2023-07-31 11:39:18AM [4384] dbg Tunnel initiated to firewall.domain.de 443
2023-07-31 11:39:29AM [148] dbg WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-07-31 11:39:29AM [148] dbg WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-07-31 11:39:29AM [148] dbg Connection to open vpn has been established
2023-07-31 11:39:29AM [148] dbg Adding watch for physical IP 192.168.178.110 down
2023-07-31 11:39:29AM [148] dbg firewall.domain.de VPN state changed to connected
2023-07-31 11:43:22AM [148] dbg read TCP_CLIENT: Unknown error (code=10060)
2023-07-31 11:43:22AM [148] dbg read TCP_CLIENT: Unknown error (code=10060)
2023-07-31 11:43:22AM [148] dbg Connection reset, restarting [-1]
2023-07-31 11:43:22AM [148] dbg Received connection reset
2023-07-31 11:43:22AM [148] dbg firewall.domain.de VPN state changed to disconnecting
2023-07-31 11:43:22AM [4384] dbg Tunnel is stopped
2023-07-31 11:43:36AM [148] dbg received exiting event
2023-07-31 11:43:36AM [6492] dbg firewall.domain.de VPN state changed to disconnected
2023-07-31 11:43:36AM [6492] dbg Sending notification: Received connection reset from gateway: firewall.domain.de 443
2023-07-31 11:43:41AM [14132] dbg firewall.domain.de VPN state changed to connecting
2023-07-31 11:43:41AM [14132] dbg Starting tunnel (connecting)
2023-07-31 11:43:41AM [14132] inf Remote added to list: firewall.domain.de 443
2023-07-31 11:43:44AM [14132] dbg Tunnel initiated to firewall.domain.de 443
2023-07-31 11:43:45AM [11240] dbg firewall.domain.de user authentication failed - clearing any stored credentials
2023-07-31 11:43:45AM [11240] dbg firewall.domain.de VPN state changed to disconnected
2023-07-31 11:43:45AM [11240] dbg Sending notification: User authentication failed. Please try again
2023-07-31 11:43:45AM [11240] dbg received exiting event
2023-07-31 11:43:45AM [14132] dbg Tunnel is stopped
2023-07-31 11:44:20AM [7108] dbg firewall.domain.de VPN state changed to connecting
2023-07-31 11:44:20AM [7108] dbg Starting tunnel (connecting)
2023-07-31 11:44:20AM [7108] inf Remote added to list: firewall.domain.de 443
2023-07-31 11:44:23AM [7108] dbg Tunnel initiated to firewall.domain.de 443
2023-07-31 11:44:29AM [15184] dbg WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-07-31 11:44:29AM [15184] dbg WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-07-31 11:44:29AM [15184] dbg Connection to open vpn has been established
2023-07-31 11:44:29AM [15184] dbg Adding watch for physical IP 192.168.178.110 down
2023-07-31 11:44:29AM [15184] dbg firewall.domain.de VPN state changed to connected

    looks similar to what has been posted here: community.sophos.com/.../sophos-connect-client-tcp_client-unknown-error-code-10060

  • 0 in reply to LHerzog

    Hi,

    We will take a look at the logs. We will discuss internally within the team and update this thread with our findings/recommendations.

  • 0 in reply to Giridhar Katti

    Thank you. I want to add, that the client can generally connect to SSL VPN and work, but faces the disconnect events quite often (from his reports). We've no other clients that complain about many VPN disconnects.

  • 0 in reply to LHerzog

    Are you using other clients to connect to the SFOS SSLVPN server(like OpenVPN connect) and you are not facing this problem with those clients?

    Is your issue similar to the one you have mentioned in https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/10060-connection-timed-out-with-proxy-server


Reply Children
Unfiltered HTML