Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Troubleshooting 0 Byte SSL VPN File

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended read describes a certain user situation and troubleshooting suggestions if the SSL VPN Client download from the User Portal is incorrectly presented as a 0-byte download.

Ensure the default/custom CA details are properly configured

  • Is a custom CA being used?
    • If so, does the issue occur if the default self-signed certificate is used instead?

If using the default self-signed certificate resolves the issue, verify the custom CA is properly assembled (proper signing CA, and so on.)

User Certificate Generation is failing

To regenerate an individual user's SSL VPN certificate, you’ll have to go to the Sophos Firewall GUI and delete their user certificate (Certificates > Certificates)

    • Their user certificate will be regenerated the next time they sign into the Sophos Firewall User Portal and download their SSL VPN Configuration.

If you’re still experiencing issues, you can regenerate the Default CA by navigating to Certificates > Certificate Authorities.
This will force the regeneration of all SSL VPN user certificates and restart the SSL VPN service.

If these actions are performed, affected users must re-download their SSL VPN installation file to utilize the new certificate.

Check the /tmp partition on the device

Go to the /tmp partition and investigate if the following SSL VPN files are present

  • # cd tmp
  • # cd /content/sslvpn
  • # ls
    • Confirm if the following SSL VPN files are present in /content/sslvpn:
    • rw-rr- 1 1000 100 413 Apr 24 2015 client-config-template.ovpn
    • rw-rr- 1 1000 100 111.1K Jun 17 19:35 ssl-vpn-config-installer.exe
    • rw-rr- 1 1000 100 1.4M Jun 17 19:35 ssl-vpn-client-installer.exe
    • rw-rr- 1 1000 100 72 Jun 17 19:49 U2DVERSION

If files aren’t present, try to manually update patterns for the SSL VPN Module

  • If patterns fail to update, don't hesitate to get in touch with Sophos Support

Check if the /tmp partition is full

  • # df –h

    • If full, please contact Sophos Support for further assistance.

Update the device’s patterns

  • Try performing a manual pattern update
  • Backup & firmware > Pattern Updates > “Update Pattern”
  • If patterns fail to update, contact Sophos Support



updated links
[edited by: Raphael Alganes at 7:31 AM (GMT -8) on 31 Dec 2024]
  • Hello,

    the /content/sslvpn is not at /tmp you can find it at / (/content/sslvpn).

    On one of our Sophos XG the symlink was pointing to /content/sslvpn_1.01/0 and the directory "0" was not present" 

    • Hello,

      Thank you for the guide. It pointed me good direction. In my case, the problem was, that the symbolic link /content/sslvpn was broken. It was pointing to not existing directory /content/sslvpn_1.01/0 and it was supposed to point to /content/sslvpn_1.01/1.0.008/

      Commands to check the symbolic link and fix the issue in Advanced shell:

      Directories with installed Patterns:

      Fullscreen
      1
      2
      3
      SG310_WP01_SFOS 17.5.14 MR-14-1# ls -ald /content/sslvpn_*/*
      drwxr-xr-x 2 root 0 1024 Jan 2 2020 /content/sslvpn_1.00/1.0.007
      drwxr-xr-x 2 root 0 1024 Nov 26 10:27 /content/sslvpn_1.01/1.0.008
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

      Get where symbolic is pointing if it exists. It should point to one of the directories with installed Patterns, so:

      Fullscreen
      1
      2
      SG310_WP01_SFOS 17.5.14 MR-14-1# ls -altr /content/sslvpn
      lrwxrwxrwx 1 root 0 29 Nov 26 10:27 /content/sslvpn -> /content/sslvpn_1.01/1.0.008/
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

      In my case, the symbolic link existed, but was not correct:

      Fullscreen
      1
      2
      SG310_WP01_SFOS 17.5.14 MR-14-1# ls -altr /content/sslvpn
      lrwxrwxrwx 1 root 0 22 Sep 10 20:48 sslvpn -> /content/sslvpn_1.01/0
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

      To fix this situation, I deleted old symbolic link and created new one:

      Fullscreen
      1
      2
      3
      SG310_WP01_SFOS 17.5.14 MR-14-1# cd /content/
      SG310_WP01_SFOS 17.5.14 MR-14-1# rm sslvpn
      SG310_WP01_SFOS 17.5.14 MR-14-1# ln -s /content/sslvpn_1.01/1.0.008/ sslvpn
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

      BTW: The problem with 0Byte SSL VPN File was noticed after switching Cluster from Primary to Auxiliary appliance. The symbolic link was broken just on the appliance that was Auxiliary during Pattern update.     

      I hope this will help to someone.

    • Doesnt work. We have this error while generating Config:

      2021-09-19 15:25:49,927:ERROR:CSC - Exception in getStatusFromResponse() :java.lang.NumberFormatException: For input string: ""java.lang.NumberFormatException: For input string: ""
      at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
      at java.lang.Integer.parseInt(Integer.java:592)
      at java.lang.Integer.parseInt(Integer.java:615)
      at cyberoam.corporate.csc.client.CSCClient.getStatusFromResponse(CSCClient.java:623)
      at cyberoam.corporate.csc.client.CSCClient.sendUDP(CSCClient.java:459)
      at cyberoam.corporate.csc.client.CSCClient._send(CSCClient.java:402)
      at cyberoam.corporate.csc.client.CSCClient.send(CSCClient.java:147)
      at cyberoam.corporate.csc.client.CSCClient.sendWizardEvent(CSCClient.java:1097)
      at cyberoam.corporate.csc.client.CSCClient.sendWizardEvent(CSCClient.java:949)
      at org.apache.jsp.webpages.sslvpnuserportal.clientdownload_jsp._jspService(clientdownload_jsp.java:301)
      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
      at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
      at cyberoam.utilities.csrf.CSRFCheckFilter.doFilter(CSRFCheckFilter.java:171)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
      at cyberoam.sessionmanagement.SessionCheckHelper.filter(SessionCheckHelper.java:109)
      at cyberoam.sessionmanagement.SessionCheckFilter.doFilter(SessionCheckFilter.java:64)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
      at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
      at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
      at org.eclipse.jetty.server.Server.handle(Server.java:502)
      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
      at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
      at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
      at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
      at java.lang.Thread.run(Thread.java:748)

      2021-09-19 15:25:49,928:ERROR:SSL VPN - Exception while preparing download of SSLVPN/auth clients: java.lang.StringIndexOutOfBoundsException: String index out of range: -1
      at java.lang.String.substring(String.java:1960)
      at org.apache.jsp.webpages.sslvpnuserportal.clientdownload_jsp._jspService(clientdownload_jsp.java:307)
      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
      at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
      at cyberoam.utilities.csrf.CSRFCheckFilter.doFilter(CSRFCheckFilter.java:171)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
      at cyberoam.sessionmanagement.SessionCheckHelper.filter(SessionCheckHelper.java:109)
      at cyberoam.sessionmanagement.SessionCheckFilter.doFilter(SessionCheckFilter.java:64)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
      at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
      at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
      at org.eclipse.jetty.server.Server.handle(Server.java:502)
      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
      at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
      at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
      at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
      at java.lang.Thread.run(Thread.java:748)

    • Another more common fix for this issue is found here https://community.sophos.com/sophos-xg-firewall/f/discussions/119343/ssl-vpn-client-downloads-are-not-being-generated check out Paul Warriner's post. We have had to apply this now at multiple sites to get it to download the missing files. Note that it will symlink initially to /content/sslvpn_1.0.x/0 then once the pattern finishes downloading it corrects to the appropriate subfolder. This also avoids messing with any of the SSL certificates which in our cases were not the issue, as they were generating the user certs without any problems.