Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR1: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR1 is Now Available 

The old V20.0 GA Post:  Sophos Firewall: v20.0 GA: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Prio Change
[bearbeitet von: LuCar Toni um 4:40 PM (GMT -7) am 23 Sep 2024]
Parents
  • Updated my home-appliance from v20.0 GA - after the update i can't establish either a IPsec nor SSL-VPN connection with duo-push. Password is accepted and duo will trigger a push and after acception of the push, with the following error:

    2024-05-15 10:22:56AM [2528] inf Starting Sophos Sophos Connect version 2.2.90.1104
    2024-05-15 10:22:56AM [2528] dbg Initializing protected storage
    2024-05-15 10:22:56AM [2528] inf Logged on user is *USER*
    2024-05-15 10:22:56AM [2528] dbg Starting the auto-importer
    2024-05-15 10:22:56AM [2528] inf Initializing strongSwan
    2024-05-15 10:23:01AM [2528] dbg strongSwan version 5.9.5 has been started
    2024-05-15 10:23:01AM [2528] inf Initializing open vpn service
    2024-05-15 10:23:04AM [2528] dbg Starting the communications module
    2024-05-15 10:23:04AM [2528] dbg Starting HTTP server on 127.0.0.1:60110
    2024-05-15 10:23:04AM [2528] inf Sophos Connect started
    2024-05-15 10:23:09AM [21524] dbg Sending telemetry data to sftelemetry.sophos.com:443
    2024-05-15 10:23:12AM [23992] dbg *TARGET* VPN state changed to connecting
    2024-05-15 10:23:12AM [23992] dbg Starting tunnel (connecting)
    2024-05-15 10:23:12AM [23992] inf Remote added to list: *TARGET* 9443
    2024-05-15 10:23:12AM [23992] inf Remote added to list: *TARGET* 9443 tcp-client
    2024-05-15 10:23:12AM [23992] inf Remote added to list: *IP-NET-1* 9443 tcp-client
    2024-05-15 10:23:12AM [23992] inf Remote added to list: *IP-NET-2* 9443 tcp-client
    2024-05-15 10:23:15AM [23992] dbg Tunnel initiated to *TARGET* 9443
    2024-05-15 10:23:17AM [18508] dbg *TARGET* user authentication failed - clearing any stored credentials
    2024-05-15 10:23:17AM [18508] dbg *TARGET* VPN state changed to disconnected
    2024-05-15 10:23:17AM [18508] dbg Sending notification: User authentication failed. Please try again
    2024-05-15 10:23:17AM [23992] dbg Tunnel is stopped
    2024-05-15 10:23:17AM [18508] dbg received exiting event
    2024-05-15 10:23:22AM [7964] dbg Handling request for file type 2
    2024-05-15 10:23:22AM [7964] dbg Sending file 'openvpn.log' from 'C:\Program Files (x86)\Sophos\Connect\openvpn.log'

    Will troubleshoot when i get home

    EDIT: log is from scvpn.log

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 20.0 MR 1

    If a post solves your question please use the 'Verify Answer' button.

  • Hi  , would it be possible to DM () your SFOS access id so that we can take a look at your setup? Please share the /log/access_server.log; are you using .pro file with SCC to have sslvpn/ipsec vpn with SFOS or using .scx file?

  • Hi  ,

    DMed you the access ID and the log. I was using a .scx file - I exported a new config after the update and also updated SCC to 2.3, issue still exist.

    With the .pro file SCC can't fetch the vpn portal - VPN Portal service is enabled on WAN in ACL.

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 20.0 MR 1

    If a post solves your question please use the 'Verify Answer' button.

  • Hi  ,

    Please try to check the radius server group name attribute. It looks like the group name is configured instead of the group name attribute. This can be create an issue during user-group membership update and user login is rejected because of missing required policy attachment.

    Thanks

Reply Children
No Data