Hi all,
I was able to use SSL VPN properly with Sophos XG v19. Now I've upgraded to v20 and I'm experiencing issue with SSL VPN.
To setup the SSL VPN I followed this guide: https://techvids.sophos.com/watch/wtqMJE1La6TkFjAiaT2d3H
I draw a network scheme to better explain how the network is configured:
I'm using an iPhone with OpenVPN installed as a client. It can connect and authenticate properly, the OpenVPN iPhone app shows that XG assigned the IP 10.10.70.1
I've a firewall rule that allow traffic from VPN to DMZ,WAN and LAN:
In the firewall log I can't see any traffic generated through the VPN, traffic flows regularly into the XG on port 8443 (I've check with tcpdump ssh-ing into XG firewall).
I've also tried to attach a Linked NAT rule to Masquerade (MASQ) all traffic that comes from VPN zone. The client can't reach any DMZ hosts neither any internet host (I would like to use the VPN as the default gateway).
Can anyone help me to solve this issue?
Thanks in advance
Hi Angelone,
Thank you for reaching out to Sophos Community.
We regret to hear about your experience. Let me ensure I understand you correctly.
Your SSL VPN was working properly before the upgrade to version 20.
How about packet capture? Any traffic generated?
I recommend contacting Sophos Support to check this issue further, and kindly share the case ID here.
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Hi Erick,
SSL VPN was working properly with v19.5.
Regarding to the packet capture, using "port 8443" as BPF string I see traffic that comes into the firewall but I cannot see any traffic through the itun0 interface (I've checked using tcpdump).
If this can help I needed to comment out the string "comp-lzo no" in the ovpn file otherwise the iPhone gave me the error "server pushed compression settings that are not allowed and will result in a non-working connection".
Thanks for your help.
Hi Angelone - Can you please DM me and PRANEETH Kumar the access id of your device. We will take a look at the issue.
Hi Giridhar Katti , I tried to enable the support access but the Access ID remains in the "Connecting to server" state
Hi Angelone ,
Currently i am looking into Access ID issue.
Can you please share uma.log from /log dir in one on one to investigate why access id is not generated?
Also provide output of following commands executed via backend of SFOS.
nslookup eu2.apu.sophos.com
traceroute eu2.apu.sophos.com
ping eu2.apu.sophos.com ( APU server will not respond to ping request although, i would like to check dns resolution)
Thanks a million for the support. At the moment I’m not at home, I will send the link and the logs as soon as I will come back home in few days
Hi Kaushal Kansara ,
attached you can find the zip file that contains the elements you've asked for.
The output of the commands are contained in command_debug.txt file. I'll send you the password to extract the archive, the traceroute contains information about my IP address that I prefer to not share here.
Thanks for you support.
Hi Angelone ,
I have looked at the logs and observing that SFOS is retrying the connection with EU2 server. Although connections associated with given SFOS is not being seen on EU2 server.
Can we have a call to investigate this?
Hi @Angelone, for the sslvpn ra traffic issue, we can take a look at your setup in a joint debug over a call. Please DM me (sreenivasulu.naidu@sophos.com). From the attached logs, there is no sslvpn.log, traffic issues could not be figured out from this log. When you are seeing traffic on port 8443, just do a tcpdump on tun0 (assuming you are using XG and not XGS), if you see packets on tun0 (on XG), this is unencrypted packet, see the packet is routed correctly to your host on DMZ and verify the return path of the packet.
Hi Sreenivasulu Naidu and Kaushal Kansara , we can schedule a call with pleasure. I'm going to DM rigth now.
Thanks for your valuable support
Hello community,
I'm facing the same issue as Angelone. After upgrading my Sophos XG Firewall to v20, my VPN SSL clients using the OpenVPN app on Android devicescan no longer communicate with the network.
The VPN clients successfully authenticate and receive an IP address but cannot access network resources. No configuration changes were made on the clients or firewall after the upgrade.
I've tried restarting the VPN service and OpenVPN app on the devices, but the issue persists.
Could you please advise if there's a known configuration adjustment required for OpenVPN clients or the Sophos firewall after upgrading to v20?
Any help would be greatly appreciated.
Thanks in advance!
Are you affected by this? Sophos Firewall: Temporary Fix OpenVPN (3.4.0) No Compression (Android Devices)
__________________________________________________________________________________________________________________
Hi LuCar Toni ,
I confirmed that I'm affected by the OpenVPN 3.4.0 version. I tested on an older Android device without the update, and it worked perfectly.
I downgraded to OpenVPN version 3.3.4, and the issue was resolved.
Thank you for your quick and helpful reply. Have a nice weekend!
What's the OpenVPN version you are using ? Could you check if the below link from Lucar helps ?