Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 3 answers
  • Subscribers 42 subscribers
  • Views 6688 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open VPN client is connected but no packets are running

Dennis Kirschner

Hello,

We have the OpenVPN client running on various Android phones that connects to an XGS 116w (SFOS 19.5.3 MR-3-Build652). The whole thing worked without any problems until a few days ago. Since then, some - not all - devices can successfully open a VPN connection, but no packets seem to be sent into the tunnel.
I have already reinstalled OpenVPN and reloaded and imported the connection profile. Without success.
If I load the same profile on an iOS, it works without any problems.
Does anyone have any idea what the problem could be?

The OpenVPN logs show the following:

----- OpenVPN Start ----- 
[Jan. 29, 2024, 10:33:33] EVENT: CORE_THREAD_ACTIVE 
[Jan. 29, 2024, 10:33:33] OpenVPN core 3.8.4connectX(3.git::c424d46c:RelWithDebInfo) android arm64 64-bit PT_PROXY 
[Jan. 29, 2024, 10:33:33] Frame=512/2112/512 mssfix-ctrl=1250 
[Jan. 29, 2024, 10:33:33] NOTE: This configuration contains options that were not used: 
[Jan. 29, 2024, 10:33:33] Unsupported option (ignored) 
[Jan. 29, 2024, 10:33:33] 3 [explicit-exit-notify] 
[Jan. 29, 2024, 10:33:33] 4 [resolv-retry] [infinite] 
[Jan. 29, 2024, 10:33:33] 6 [persist-key] 
[Jan. 29, 2024, 10:33:33] 7 [persist-tun] 
[Jan. 29, 2024, 10:33:33] 15 [route-delay] [4] 
[Jan. 29, 2024, 10:33:33] EVENT: RESOLVE 
[Jan. 29, 2024, 10:33:33] Contacting 1.2.3.4:8448 via UDP 
[Jan. 29, 2024, 10:33:33] Connecting to [vpn.domain.de]:8448 (1.2.3.4) via UDP 
[Jan. 29, 2024, 10:33:33] EVENT: WAIT 
[Jan. 29, 2024, 10:33:33] EVENT: CONNECTING 
[Jan. 29, 2024, 10:33:33] Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client 
[Jan. 29, 2024, 10:33:33] Creds: Username/Password 
[Jan. 29, 2024, 10:33:33] Sending Peer Info: 
IV_VER=3.8.4connectX 
IV_PLAT=android 
IV_NCP=2 
IV_TCPNL=1 
IV_PROTO=990 
IV_MTU=1600 
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305 
IV_LZO=1 
IV_LZO_SWAP=1 
IV_LZ4=1 
IV_LZ4v2=1 
IV_COMP_STUB=1 
IV_COMP_STUBv2=1 
IV_GUI_VER=net.openvpn.connect.android_3.4.0-9755 
IV_SSO=webauth,openurl,crtext 

[Jan. 29, 2024, 10:33:33] VERIFY OK: depth=3, /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services, signature: RSA-SHA1 
[Jan. 29, 2024, 10:33:33] VERIFY OK: depth=2, /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority, signature: RSA-SHA384 
[Jan. 29, 2024, 10:33:33] VERIFY OK: depth=1, /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA, signature: RSA-SHA384 
[Jan. 29, 2024, 10:33:33] VERIFY OK: depth=0, /CN=*.domain.de, signature: RSA-SHA256 
[Jan. 29, 2024, 10:33:33] SSL Handshake: peer certificate: CN=*.domain.de, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD 
[Jan. 29, 2024, 10:33:33] Session is ACTIVE 
[Jan. 29, 2024, 10:33:33] Sending PUSH_REQUEST to server... 
[Jan. 29, 2024, 10:33:33] EVENT: WARN info='TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future' 
[Jan. 29, 2024, 10:33:33] EVENT: GET_CONFIG 
[Jan. 29, 2024, 10:33:34] Sending PUSH_REQUEST to server... 
[Jan. 29, 2024, 10:33:34] OPTIONS: 

0 [route-gateway] [10.81.234.1] 
1 [sndbuf] [0] 
2 [rcvbuf] [0] 
3 [ping] [45] 
4 [ping-restart] [180] 
5 [route] [192.168.1.0] [255.255.254.0] 
6 [route] [192.168.7.0] [255.255.255.0] 
7 [topology] [subnet] 
8 [route] [remote_host] [255.255.255.255] [net_gateway] 
9 [inactive] [3600] [30720] 
10 [dhcp-option] [DNS] [192.168.120.1] 
11 [dhcp-option] [DNS] [9.9.9.9] 
12 [dhcp-option] [DOMAIN] [customer.net] 
13 [ifconfig] [10.81.234.2] [255.255.255.0] 
14 [peer-id] [0] 
15 [cipher] [AES-256-GCM] 
16 [block-ipv6] 
17 [block-ipv4] 

[Jan. 29, 2024, 10:33:34] PROTOCOL OPTIONS: 
  cipher: AES-256-GCM 
  digest: NONE 
  key-derivation: OpenVPN PRF 
  compress: ANY 
  peer ID: 0 

[Jan. 29, 2024, 10:33:34] EVENT: ASSIGN_IP 
[Jan. 29, 2024, 10:33:34] exception parsing IPv4 route: [route] [remote_host] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair parse error 'route': remote_host/255.255.255.255 : ip_exception: error parsing route IP address 'remote_host' : Invalid argument 
[Jan. 29, 2024, 10:33:34] Connected via tun 
[Jan. 29, 2024, 10:33:34] LZO-ASYM init swap=0 asym=1 
[Jan. 29, 2024, 10:33:34] Comp-stub init swap=1 
[Jan. 29, 2024, 10:33:34] EVENT: CONNECTED info='support@vpn.domain.de:8448 (1.2.3.4) via /UDP on tun/10.81.234.2/ gw=[10.81.234.1/] mtu=(default)' trans=TO_CONNECTED 
[Jan. 29, 2024, 10:33:34] EVENT: COMPRESSION_ENABLED info='Asymmetric compression enabled.  Server may send compressed data.  This may be a potential security issue.' trans=TO_DISCONNECTED 
[Jan. 29, 2024, 10:34:59] EVENT: CANCELLED 
[Jan. 29, 2024, 10:34:59] EVENT: DISCONNECTED 
[Jan. 29, 2024, 10:34:59] Tunnel bytes per CPU second: 0 
[Jan. 29, 2024, 10:34:59] ----- OpenVPN Stop ----- 
[Jan. 29, 2024, 10:34:59] EVENT: CORE_THREAD_DONE



Thanks



This thread was automatically locked due to age.
  • 0

    Hi Dennis Kirschner

    Try link :  Sophos Firewall: Temporary Fix OpenVPN (3.4.0) Unsupported Options error 

    Please check with Packet capture, tcpdump and drop packet capture traffic is hitting the firewall.

    Please go to MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on Configure

    From CLI

    run 

    console>tcpdump 'host <destination IP>

    console>dr 'host <destination IP>

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hello  

    Thank you very much for your quick reply.
    I have applied the temporary fix, but unfortunately this has not solved the problem either.

    Unfortunately, I don't see any packets arriving from the device in TCPDUMP either. It seems to me that the packets are not being routed into the tunnel at all.

  • 0 in reply to Dennis Kirschner

    Please add a NAT rule for VPN to LAN traffic and keep 'Translated source (SNAT)' to MASQ. Verify once again after making these changes.

    Keep test Firewall and NAT rule on TOP.

    Please share logs as well while connecting to OpenVPN 

    Sign in to the command-line interface (CLI) and select 5: Device Management, then 3: Advanced Shell, and run the following command:

    tail -f /log/sslvpn.log

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    It's not because of the rules.
    Other clients can work with the same profile without any problems. And until a few days ago, this device was still working without any changes to the configuration of the XGS.

    2024-01-30 12:00:10 us=151697Z [10466] MULTI: multi_create_instance called
2024-01-30 12:00:10 us=151831Z [10466] 2.3.4.5:31877 Re-using SSL/TLS context
2024-01-30 12:00:10 us=151958Z [10466] 2.3.4.5:31877 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2024-01-30 12:00:10 us=151970Z [10466] 2.3.4.5:31877 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2024-01-30 12:00:10 us=152023Z [10466] 2.3.4.5:31877 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
2024-01-30 12:00:10 us=152033Z [10466] 2.3.4.5:31877 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
2024-01-30 12:00:10 us=152100Z [10466] 2.3.4.5:31877 UDPv6 READ [14] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
2024-01-30 12:00:10 us=152125Z [10466] 2.3.4.5:31877 TLS: Initial packet from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5), sid=7e0bf5a0 997c68ba
2024-01-30 12:00:10 us=152194Z [10466] 2.3.4.5:31877 UDPv6 WRITE [26] to [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
2024-01-30 12:00:10 us=208985Z [10466] 2.3.4.5:31877 UDPv6 READ [303] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_V1 kid=0 [ 0 ] pid=1 DATA len=277
2024-01-30 12:00:10 us=219094Z [10466] 2.3.4.5:31877 UDPv6 WRITE [22] to [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_ACK_V1 kid=0 [ 1 ]
2024-01-30 12:00:10 us=219164Z [10466] 2.3.4.5:31877 UDPv6 WRITE [1188] to [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=1174
2024-01-30 12:00:10 us=219195Z [10466] 2.3.4.5:31877 UDPv6 WRITE [1067] to [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1053
2024-01-30 12:00:10 us=269019Z [10466] 2.3.4.5:31877 UDPv6 READ [26] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_ACK_V1 kid=0 [ 0 1 ]
2024-01-30 12:00:10 us=316229Z [10466] 2.3.4.5:31877 UDPv6 READ [1284] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_V1 kid=0 [ 0 1 2 ] pid=2 DATA len=1250
2024-01-30 12:00:10 us=316319Z [10466] 2.3.4.5:31877 UDPv6 WRITE [22] to [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_ACK_V1 kid=0 [ 2 ]
2024-01-30 12:00:10 us=316413Z [10466] 2.3.4.5:31877 UDPv6 READ [1049] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_V1 kid=0 [ 0 1 2 ] pid=3 DATA len=1015
2024-01-30 12:00:10 us=317082Z [10466] 2.3.4.5:31877 VERIFY OK: depth=0, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=user@domain.net_17FF95BC0A4, emailAddress=na@example.com
2024-01-30 12:00:10 us=317550Z [10466] 2.3.4.5:31877 VERIFY OK: depth=1, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Default_CA_7jT1Wlk6JqYPFuI, emailAddress=na@example.com
2024-01-30 12:00:10 us=318074Z [10466] 2.3.4.5:31877 VERIFY OK: depth=1, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Default_CA_7jT1Wlk6JqYPFuI, emailAddress=na@example.com
2024-01-30 12:00:10 us=318482Z [10466] 2.3.4.5:31877 VERIFY OK: depth=0, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=user@domain.net_17FF95BC0A4, emailAddress=na@example.com
2024-01-30 12:00:10 us=319177Z [10466] 2.3.4.5:31877 peer info: IV_VER=3.8.4connectX
2024-01-30 12:00:10 us=319195Z [10466] 2.3.4.5:31877 peer info: IV_PLAT=android
2024-01-30 12:00:10 us=319206Z [10466] 2.3.4.5:31877 peer info: IV_NCP=2
2024-01-30 12:00:10 us=319215Z [10466] 2.3.4.5:31877 peer info: IV_TCPNL=1
2024-01-30 12:00:10 us=319225Z [10466] 2.3.4.5:31877 peer info: IV_PROTO=990
2024-01-30 12:00:10 us=319235Z [10466] 2.3.4.5:31877 peer info: IV_MTU=1600
2024-01-30 12:00:10 us=319248Z [10466] 2.3.4.5:31877 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2024-01-30 12:00:10 us=319257Z [10466] 2.3.4.5:31877 peer info: IV_LZO=1
2024-01-30 12:00:10 us=319266Z [10466] 2.3.4.5:31877 peer info: IV_LZO_SWAP=1
2024-01-30 12:00:10 us=319276Z [10466] 2.3.4.5:31877 peer info: IV_LZ4=1
2024-01-30 12:00:10 us=319287Z [10466] 2.3.4.5:31877 peer info: IV_LZ4v2=1
2024-01-30 12:00:10 us=319298Z [10466] 2.3.4.5:31877 peer info: IV_COMP_STUB=1
2024-01-30 12:00:10 us=319309Z [10466] 2.3.4.5:31877 peer info: IV_COMP_STUBv2=1
2024-01-30 12:00:10 us=319321Z [10466] 2.3.4.5:31877 peer info: IV_GUI_VER=net.openvpn.connect.android_3.4.0-9755
2024-01-30 12:00:10 us=319332Z [10466] 2.3.4.5:31877 peer info: IV_SSO=webauth,openurl,crtext
2024-01-30 12:00:10 us=319616Z [10466] 2.3.4.5:31877 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2024-01-30 12:00:10 us=319643Z [10466] 2.3.4.5:31877 TLS: Username/Password authentication deferred for username 'user' [CN SET]
2024-01-30 12:00:10 us=319726Z [10466] 2.3.4.5:31877 UDPv6 WRITE [184] to [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_V1 kid=0 [ 3 ] pid=3 DATA len=158
2024-01-30 12:00:10 us=319812Z [10466] 2.3.4.5:31877 UDPv6 WRITE [244] to [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=230
2024-01-30 12:00:10 us=368876Z [10466] 2.3.4.5:31877 UDPv6 READ [34] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_ACK_V1 kid=0 [ 0 1 2 3 ]
2024-01-30 12:00:10 us=368961Z [10466] 2.3.4.5:31877 UDPv6 READ [34] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_ACK_V1 kid=0 [ 1 2 3 4 ]
2024-01-30 12:00:10 us=368981Z [10466] 2.3.4.5:31877 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2024-01-30 12:00:10 us=369035Z [10466] 2.3.4.5:31877 [user] Peer Connection Initiated with [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5)
2024-01-30 12:00:10 us=369155Z [10466] user@domain.net/2.3.4.5:31877 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn/conf.d/user@domain.net
2024-01-30 12:00:10 us=369245Z [10466] user@domain.net/2.3.4.5:31877 MULTI_sva: pool returned IPv4=10.81.234.130, IPv6=2001:db8::8000:0:0:1
2024-01-30 12:00:10 us=369276Z [10466] user@domain.net/2.3.4.5:31877 ifconfig_pool_remote_ipv6:2001:db8::8000:0:0:1
2024-01-30 12:00:10 us=369298Z [10466] user@domain.net/2.3.4.5:31877 ifconfig_remote_ip: 2.3.4.5, isipv4c: 1
Authentication server 127.0.0.1 gave login response code 2
2024-01-30 12:00:10 us=396033Z [10466] user@domain.net/2.3.4.5:31877 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0
2024-01-30 12:00:10 us=396096Z [10466] user@domain.net/2.3.4.5:31877 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_0362df940f7b9dde.tmp
2024-01-30 12:00:10 us=396166Z [10466] user@domain.net/2.3.4.5:31877 ifconfig_pool_remote_ipv6:2001:db8::8000:0:0:1
2024-01-30 12:00:10 us=396200Z [10466] user@domain.net/2.3.4.5:31877 ifconfig_remote_ip: 2.3.4.5, isipv4c: 1
INSERT 0 1
COMMIT
script ipv4 -->
script ipv4 <--
2024-01-30 12:00:10 us=516218Z [10466] user@domain.net/2.3.4.5:31877 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4a048a5e20162ca2.tmp
2024-01-30 12:00:10 us=516320Z [10466] user@domain.net/2.3.4.5:31877 ifconfig_pool_remote_ipv6:2001:db8::8000:0:0:1
2024-01-30 12:00:10 us=516362Z [10466] user@domain.net/2.3.4.5:31877 ifconfig_remote_ip: 2.3.4.5, isipv4c: 1
2024-01-30 12:00:10 us=516455Z [10466] user@domain.net/2.3.4.5:31877 MULTI: Learn: 10.81.234.130 -> user@domain.net/2.3.4.5:31877
2024-01-30 12:00:10 us=516506Z [10466] user@domain.net/2.3.4.5:31877 MULTI: primary virtual IP for user@domain.net/2.3.4.5:31877: 10.81.234.130
2024-01-30 12:00:10 us=516519Z [10466] user@domain.net/2.3.4.5:31877 MULTI: Learn: 2001:db8::8000:0:0:1 -> user@domain.net/2.3.4.5:31877
2024-01-30 12:00:10 us=516531Z [10466] user@domain.net/2.3.4.5:31877 MULTI: primary virtual IPv6 for user@domain.net/2.3.4.5:31877: 2001:db8::8000:0:0:1
2024-01-30 12:00:10 us=516877Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 READ [73] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_V1 kid=0 [ 1 2 3 4 ] pid=4 DATA len=35
2024-01-30 12:00:10 us=516957Z [10466] user@domain.net/2.3.4.5:31877 PUSH: Received control message: 'PUSH_REQUEST'
2024-01-30 12:00:10 us=516998Z [10466] user@domain.net/2.3.4.5:31877 Host:::ffff:2.3.4.5 Port:31877
2024-01-30 12:00:10 us=517009Z [10466] user@domain.net/2.3.4.5:31877 Is IPv4 :1
2024-01-30 12:00:10 us=517019Z [10466] user@domain.net/2.3.4.5:31877 send_push_reply(): suppress sending 'tun-ipv6'
2024-01-30 12:00:10 us=517042Z [10466] user@domain.net/2.3.4.5:31877 Host:::ffff:2.3.4.5 Port:31877
2024-01-30 12:00:10 us=517085Z [10466] user@domain.net/2.3.4.5:31877 Is IPv4 :1
2024-01-30 12:00:10 us=517125Z [10466] user@domain.net/2.3.4.5:31877 SENT CONTROL [user@domain.net]: 'PUSH_REPLY,route-gateway 10.81.234.129,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 192.168.1.44 255.255.255.255,route 192.168.1.46 255.255.255.255,route 192.168.1.89 255.255.255.255,route 192.168.1.43 255.255.255.255,route 192.168.1.45 255.255.255.255,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 3600 30720,dhcp-option DNS 192.168.1.1,dhcp-option DNS 9.9.9.9,dhcp-option DOMAIN domain.net,ifconfig 10.81.234.130 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2024-01-30 12:00:10 us=517136Z [10466] user@domain.net/2.3.4.5:31877 Data Channel: using negotiated cipher 'AES-256-GCM'
2024-01-30 12:00:10 us=517162Z [10466] user@domain.net/2.3.4.5:31877 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
2024-01-30 12:00:10 us=517300Z [10466] user@domain.net/2.3.4.5:31877 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-01-30 12:00:10 us=517315Z [10466] user@domain.net/2.3.4.5:31877 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-01-30 12:00:10 us=517363Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 WRITE [22] to [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_ACK_V1 kid=0 [ 4 ]
2024-01-30 12:00:10 us=517449Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 WRITE [532] to [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_CONTROL_V1 kid=0 [ ] pid=5 DATA len=518
2024-01-30 12:00:10 us=628918Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 READ [34] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_ACK_V1 kid=0 [ 2 3 4 5 ]
2024-01-30 12:00:10 us=629001Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 READ [101] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_DATA_V2 kid=0 DATA len=100
2024-01-30 12:00:10 us=629032Z [10466] user@domain.net/2.3.4.5:31877 Bad compression stub decompression header byte: 251
2024-01-30 12:00:10 us=629067Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 READ [73] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_DATA_V2 kid=0 DATA len=72
2024-01-30 12:00:10 us=629080Z [10466] user@domain.net/2.3.4.5:31877 Bad compression stub decompression header byte: 251
2024-01-30 12:00:10 us=636054Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 READ [101] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_DATA_V2 kid=0 DATA len=100
2024-01-30 12:00:10 us=636075Z [10466] user@domain.net/2.3.4.5:31877 Bad compression stub decompression header byte: 251
2024-01-30 12:00:11 us=277110Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 READ [101] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_DATA_V2 kid=0 DATA len=100
2024-01-30 12:00:11 us=277161Z [10466] user@domain.net/2.3.4.5:31877 Bad compression stub decompression header byte: 251
2024-01-30 12:00:11 us=508892Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 READ [101] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_DATA_V2 kid=0 DATA len=100
2024-01-30 12:00:11 us=508940Z [10466] user@domain.net/2.3.4.5:31877 Bad compression stub decompression header byte: 251
Authentication server 127.0.0.1 gave login response code 2
INSERT 0 1
COMMIT
script ipv4 -->
script ipv4 <--
2024-01-30 12:00:15 us=156130Z [10466] CID is :16274
2024-01-30 12:00:15 us=156281Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 READ [73] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_DATA_V2 kid=0 DATA len=72
2024-01-30 12:00:15 us=156302Z [10466] user@domain.net/2.3.4.5:31877 Bad compression stub decompression header byte: 251
2024-01-30 12:00:24 us=376895Z [10466] user@domain.net/2.3.4.5:31877 UDPv6 READ [73] from [AF_INET6]::ffff:2.3.4.5:31877 (via ::ffff:1.2.3.4%Port5): P_DATA_V2 kid=0 DATA len=72
2024-01-30 12:00:24 us=376949Z [10466] user@domain.net/2.3.4.5:31877 Bad compression stub decompression header byte: 251
2024-01-30 12:00:26 us=564055Z [10466] CID is :16274

  • 0 in reply to Dennis Kirschner

    I suspect issue with the end device, better to raise the support case to investigate the issue with remote session.

    Please update the firmware version to latest available for your firewall.

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Dennis Kirschner

    Hi   On the Android device in the Open VPN app settings, can you please enable "Enforce TLS 1.3" in advance settings and confirm the issue status?

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0

    Hello Dennis,

    Most likely, this is related to some of the users upgrading their OpenVPN to 3.4.0

    If you have SSL VPN Compression enabled in the Sophos Firewall for the SSL VPN options, disable it.

    Then, ask the users to manually disconnect the tunnel on their OpenVPN and reconnect; the traffic should start flowing again.

    If Compressions is disabled in the Sophos Firewall for the SSL VPN options, enable it.

    Then, ask the users to manually disconnect the tunnel on their OpenVPN and reconnect; then confirm if the traffic is flowing (most likely it will). I don't recommend leaving Compression on, so repeat the process one more time, however, if you notice the traffic isn’t flowing with Compression disabled, for now, leave it enable.

    Also, ask the end users to check that in OpenvPN under Settings > Advanced Settings > Lecagy is selected.

    If the issue persists, please open a case with Support and share the Case ID with us.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hello,

    unfortunately neither the TLS nor the compression was the solution.
    Even with changed settings, no packets are running.

  • +1 in reply to Dennis Kirschner

    Hi Dennis Kirschner 

    Please check with compression turned ON and keep the 'Legacy' mode on OpenVPN Connect. Test with firmware version  v19.5.MR4. If still not working check with latest firmware version for your firmware incase.

    With the latest release of Android (3.4.0), there seems some issue with “comp-lzo no” and legacy mode too, which is highlighted in the OpenVPN community at https://forums.openvpn.net/viewtopic.php?t=43571.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to Dennis Kirschner

    Hi   Please find the below latest RR which summarizes all the details on the this:

    Sophos Firewall: Temporary Fix OpenVPN (3.4.0) No Compression (Android Devices)

    community.sophos.com/.../sophos-firewall-temporary-fix-openvpn-3-4-0-no-compression-android-devices

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML