Unable to generate csr for SSL VPN

Can you confirm if you can generate the Default CA under Objects -> Identity -> Certificate Authority -> Default?

Hi Leon,

No I am not able to create the default CA, on the ING50 which we have already did generate a default CA before the upgrade, on the ING25 I did not.

Is this related to this? community.sophos.com/.../73545

Yes, I suspect it is related to community.sophos.com/.../73545
This is where it appears the Default CA is not migrated correctly from Cyberoam OS to SF-OS which is causing some issues with SSLVPN setups, it seems like it is also impacting the ability to generate a CSR.
I would recommend you open a support case to get the Default CA regenerated by support back end (I suspect it is related to BUG ID NC-5703), if the issue is still occurring after that they can investigate further with you.

Hello,

Opened a support case, will post back when it gets resolved.

Where can I find a list with known bugs in Sophos XG?

Hello,

Opened a support case, will post back when it gets resolved.

Where can I find a list with known bugs in Sophos XG?

Hi Arjan,

This migration issues has been addressed in the current maintenance release MR1-1, this means the issue should not affect new migrations. However if your appliance has already been migrated you will need to reach out to support to get it fixed by them.

For new migrations when you download the Sophos Firewall OS from your MySophos Portal Account it will provide access to the latest firmware.

Details on the maintenance release can be found at https://community.sophos.com/products/xg-firewall/b/xg-blog/archive/2016/02/29/sfos-15-01-0-398-mr-1-1-released

Edited for clarity.

Thanks,

Leon

Leon Friend said:

Hi Arjan,

If you did not get this resolved through support this has been addressed in the current maintenance release MR1-1, if your appliance is not seeing the update firmware as an option you can download it via your MySophos Portal Account.

Details on the maintenance release can be found at https://community.sophos.com/products/xg-firewall/b/xg-blog/archive/2016/02/29/sfos-15-01-0-398-mr-1-1-released

Thanks,

Leon

I've updated to this latest firmware and I'm still unable to edit the information for the default cert so that I can then create a self-signed certificate. When I update the information and click save, I get an error that it is unable to be generated. After that, it does allow me to create a self signed cert, but when I reboot the firewall, the web proxy and a  few other services will not start. 

I've factory reset several times, downgraded, and upgraded a few times without success. 

I'm unable to use the device with this bug. 

Hi Ryan,

Thanks for the update, yes this issue means you cannot configure the SSL VPN.

I have edited my original update to clarify to clarify some detail, however the fix included in MR1-1 impacts the migration process. If you have already migrated the appliance you will need to reach out to support for it to be fixed back end.

My experience is that if you had this issue after migrating to the SF-OS platform. You could factory reset the appliance and program it as new under SF-OS and this should not be an issue, however if you are still experiencing it please reach out to support and they can work the problem with you.

If you don't have the support contact details to hand, please check the following link: https://www.sophos.com/en-us/support/contact-support.aspx

Thanks,

Leon

The update indeed didn't fix anything which quite annoy me, I can't just re-install the whole thing from scratch this will take a lot of time, and I'm sure the customer isn't going to pay for the extra hours.

So far Sophos OS gave me alot of headache, SSL not working, License migration is a hell and the SophServ helpdesk doesn't seem to even read my opened cases, instead they come up will bullshit solutions.