Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR3: Feedback and experiences

Release Post:  Sophos Firewall OS v19.5 MR3 is Now Available  

The old V19.5 MR2 Post:  Sophos Firewall: v19.5 MR2: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes: https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.5 



This thread was automatically locked due to age.
Parents
  • I'm seeing SSL-VPN Connections not being accepted after Upgrade from MR2 in my demo-lab (sfos-home).
    SSL-VPN is enabled on WAN-Zone but no connection successful. Device Access ACL seems to block but i can't tell why as settings are fine.

    drppkt on advanced shell showing "log_type=Firewall log_component=Local_ACLs log_subtype=Denied"

    2023-08-07 11:38:12 0103021 IP 192.168.222.124.56969 > 172.16.2.80.443 : proto UDP: packet len: 22 checksum : 36453
    0x0000:  4500 002a c861 0000 7f11 25dc c0a8 de7c  E..*.a....%....|
    0x0010:  ac10 0250 de89 01bb 0016 8e65 38ff 066e  ...P.......e8..n
    0x0020:  02f1 0333 fe00 0000 0000                 ...3......
    
    Date=2023-08-07 Time=11:38:12 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=c8:4f:86:fc:00:05 dest_mac=00:1a:8c:44:00:45 bridge_name= l3_protocol=IPv4 source_ip=192.168.222.124 dest_ip=172.16.2.80 l4_protocol=UDP source_port=56969 dest_port=443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2322130158 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0
    

    ACL is fine:

  • Did this configuration work in V19.5 MR2? 

    Do you have a WAF configured? 

    __________________________________________________________________________________________________________________

  • yes, I'm quite sure - and no waf-rules, no dnat active.
    You're asking because of 443 udp?

  • Check the sslvpn.log on CLI for more insights. 

    __________________________________________________________________________________________________________________

  • No connections at all - i think traffic is not getting forewarded to ssl-vpn, as visible in drppkt?

  • I have DM you for support access.

  • It’s not related to MR3 or upgrade, we have captured the logs for further investigation.

    It looks like while SSLVPN service was coming up it got timed out and terminated by the parent service, but it returned error for termination request and hence it got stuck. Historically, we have seen a similar issue once earlier on another version by one of the customers. 

    Appliance reboot has resolved the problem for now.

Reply
  • It’s not related to MR3 or upgrade, we have captured the logs for further investigation.

    It looks like while SSLVPN service was coming up it got timed out and terminated by the parent service, but it returned error for termination request and hence it got stuck. Historically, we have seen a similar issue once earlier on another version by one of the customers. 

    Appliance reboot has resolved the problem for now.

Children