Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR1: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR1 is Now Available 

The old V20.0 GA Post:  Sophos Firewall: v20.0 GA: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Adding
[bearbeitet von: LuCar Toni um 10:50 AM (GMT -7) am 16 May 2024]
Parents
  • Any indication of a fix for NC-131402 ?

    I think we're seeing this where teh user certificate is generated with a common name like: user-name%40domain'.'com . Sophos Connect just won't authenticate the user. OpenVPN works but this will become increasingly inconvenient as we add new users.

  • Firstly,  NC-131402 will only address the .ovpn file downloaded from vpn portal will not have any encoded special characters. Also special characters in certificate's common name will not cause any authentication issues. I created the below test users on 20.0 MR1 build 356 and tried connecting from SCC 2.2.90 and connection works both times.

    Local users with usernames: testuser@sophos.com , newuser@domain'.'com

    Please let us know how these users are created and test usernames to verify the same along with the logs from SCC and XG for auth failures.

  • Users are created in AD. Normally we don't need to do anything in particular on the firewall, they just have access to the VPN (portal for MFA then client).

    I thought given the mention of special characters for that bug that it might be related.

    Relevant logs below with sensitive data redacted:

    XGS - access_server.log

    SUCCESS Jun 12 09:58:08.797852Z [access_server]: (check_auth_result): user 'jat-do@domain.net'(backend) Authenticated with server id '3'
    MESSAGE Jun 12 09:58:08.797875Z [OTP_AUTH]: (otp_code_correct): Will verify code 931953 for user jat-do@domain.net
    MESSAGE Jun 12 09:58:08.920224Z [OTP_AUTH]: (otp_handle_short_password_success_request): ACCEPT1 for user jat-do@domain.net jat-do
    SUCCESS Jun 12 09:58:08.920266Z [access_server]: (check_auth_result): user 'jat-do@domain.net'(backend) Authenticated with server id '3'
    /_conf/csc/auth_utility update_usergrouprel "{ \"userid\": 406, \"groupid_list\" : [ 1 ] }"
    buffer : status 0
    MESSAGE Jun 12 09:58:19.681005Z [CAA]: (CA_keep_alive): access_server heartbeat
    MESSAGE Jun 12 09:58:19.681027Z [CAA]: (CA_keep_alive): Next CA batch in 45 seconds
    ERROR Jun 12 09:58:31.535338Z [access_server]: check_auth_result: Authentication Failed

    SCC - openvpn.log

    2024-06-12 13:56:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:55300
    2024-06-12 13:56:00 MANAGEMENT: CMD 'state on'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'log all on'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'echo all on'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'bytecount 5'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'hold off'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'hold release'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'username "Auth" jat-do'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'password [...]'
    2024-06-12 13:56:00 MANAGEMENT: >STATE:1718196960,RESOLVE,,,,,,
    2024-06-12 13:56:00 TCP/UDP: Preserving recently used remote address: [AF_INET]<ip:port>
    2024-06-12 13:56:00 Socket Buffers: R=[65536->65536] S=[64512->64512]
    2024-06-12 13:56:00 Attempting to establish TCP connection with [AF_INET]<ip:port>
    2024-06-12 13:56:00 MANAGEMENT: >STATE:1718196960,TCP_CONNECT,,,,,,
    2024-06-12 13:56:00 TCP connection established with [AF_INET]<ip:port>
    2024-06-12 13:56:00 TCPv4_CLIENT link local: (not bound)
    2024-06-12 13:56:00 TCPv4_CLIENT link remote: [AF_INET]1<ip:port>
    2024-06-12 13:56:00 MANAGEMENT: >STATE:1718196960,WAIT,,,,,,
    2024-06-12 13:56:00 MANAGEMENT: >STATE:1718196960,AUTH,,,,,,
    2024-06-12 13:56:00 TLS: Initial packet from [AF_INET]<ip:port>, sid=ba8bcc2b a6ec051c
    2024-06-12 13:56:00 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    2024-06-12 13:56:00 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
    2024-06-12 13:56:00 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
    2024-06-12 13:56:00 VERIFY X509NAME OK: CN=fqdn.domain.net
    2024-06-12 13:56:00 VERIFY OK: depth=0, CN=fqdn.domain.net

    2024-06-12 13:56:00 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ECprime256v1, signature: RSA-SHA256, peer temporary key: 253 bits X25519
    2024-06-12 13:56:00 [fqdn.domain.net] Peer Connection Initiated with [AF_INET]<ip:port>
    2024-06-12 13:56:00 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
    2024-06-12 13:56:00 TLS: tls_multi_process: initial untrusted session promoted to trusted
    2024-06-12 13:56:01 MANAGEMENT: >STATE:1718196961,GET_CONFIG,,,,,,
    2024-06-12 13:56:01 SENT CONTROL [fqdn.domain.net]: 'PUSH_REQUEST' (status=1)
    2024-06-12 13:56:01 AUTH: Received control message: AUTH_FAILED
    2024-06-12 13:56:01 SIGTERM[soft,auth-failure] received, process exiting
    2024-06-12 13:56:01 MANAGEMENT: >STATE:1718196961,EXITING,auth-failure,,,,,

    OpenVPN client works fine.

Reply
  • Users are created in AD. Normally we don't need to do anything in particular on the firewall, they just have access to the VPN (portal for MFA then client).

    I thought given the mention of special characters for that bug that it might be related.

    Relevant logs below with sensitive data redacted:

    XGS - access_server.log

    SUCCESS Jun 12 09:58:08.797852Z [access_server]: (check_auth_result): user 'jat-do@domain.net'(backend) Authenticated with server id '3'
    MESSAGE Jun 12 09:58:08.797875Z [OTP_AUTH]: (otp_code_correct): Will verify code 931953 for user jat-do@domain.net
    MESSAGE Jun 12 09:58:08.920224Z [OTP_AUTH]: (otp_handle_short_password_success_request): ACCEPT1 for user jat-do@domain.net jat-do
    SUCCESS Jun 12 09:58:08.920266Z [access_server]: (check_auth_result): user 'jat-do@domain.net'(backend) Authenticated with server id '3'
    /_conf/csc/auth_utility update_usergrouprel "{ \"userid\": 406, \"groupid_list\" : [ 1 ] }"
    buffer : status 0
    MESSAGE Jun 12 09:58:19.681005Z [CAA]: (CA_keep_alive): access_server heartbeat
    MESSAGE Jun 12 09:58:19.681027Z [CAA]: (CA_keep_alive): Next CA batch in 45 seconds
    ERROR Jun 12 09:58:31.535338Z [access_server]: check_auth_result: Authentication Failed

    SCC - openvpn.log

    2024-06-12 13:56:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:55300
    2024-06-12 13:56:00 MANAGEMENT: CMD 'state on'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'log all on'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'echo all on'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'bytecount 5'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'hold off'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'hold release'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'username "Auth" jat-do'
    2024-06-12 13:56:00 MANAGEMENT: CMD 'password [...]'
    2024-06-12 13:56:00 MANAGEMENT: >STATE:1718196960,RESOLVE,,,,,,
    2024-06-12 13:56:00 TCP/UDP: Preserving recently used remote address: [AF_INET]<ip:port>
    2024-06-12 13:56:00 Socket Buffers: R=[65536->65536] S=[64512->64512]
    2024-06-12 13:56:00 Attempting to establish TCP connection with [AF_INET]<ip:port>
    2024-06-12 13:56:00 MANAGEMENT: >STATE:1718196960,TCP_CONNECT,,,,,,
    2024-06-12 13:56:00 TCP connection established with [AF_INET]<ip:port>
    2024-06-12 13:56:00 TCPv4_CLIENT link local: (not bound)
    2024-06-12 13:56:00 TCPv4_CLIENT link remote: [AF_INET]1<ip:port>
    2024-06-12 13:56:00 MANAGEMENT: >STATE:1718196960,WAIT,,,,,,
    2024-06-12 13:56:00 MANAGEMENT: >STATE:1718196960,AUTH,,,,,,
    2024-06-12 13:56:00 TLS: Initial packet from [AF_INET]<ip:port>, sid=ba8bcc2b a6ec051c
    2024-06-12 13:56:00 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    2024-06-12 13:56:00 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
    2024-06-12 13:56:00 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
    2024-06-12 13:56:00 VERIFY X509NAME OK: CN=fqdn.domain.net
    2024-06-12 13:56:00 VERIFY OK: depth=0, CN=fqdn.domain.net

    2024-06-12 13:56:00 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ECprime256v1, signature: RSA-SHA256, peer temporary key: 253 bits X25519
    2024-06-12 13:56:00 [fqdn.domain.net] Peer Connection Initiated with [AF_INET]<ip:port>
    2024-06-12 13:56:00 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
    2024-06-12 13:56:00 TLS: tls_multi_process: initial untrusted session promoted to trusted
    2024-06-12 13:56:01 MANAGEMENT: >STATE:1718196961,GET_CONFIG,,,,,,
    2024-06-12 13:56:01 SENT CONTROL [fqdn.domain.net]: 'PUSH_REQUEST' (status=1)
    2024-06-12 13:56:01 AUTH: Received control message: AUTH_FAILED
    2024-06-12 13:56:01 SIGTERM[soft,auth-failure] received, process exiting
    2024-06-12 13:56:01 MANAGEMENT: >STATE:1718196961,EXITING,auth-failure,,,,,

    OpenVPN client works fine.

Children